Thanks for the answers so far.
We have thought of aliasing commands but creating alias for every each obscure command that one uses daily is simply not feasible. Solution should be transparent.
And the answer to if root login is prohibited. The answer is yes and no, as expected. Root password is a random string of 30+ characters, changed monthly by one of the sysadmins and kept in 3 locations in a safe in a sealed envelope and direct root login is only allowed through the console as any sane sysadmin does. On the other hand, people like me, who have sysadmin group privileges are able to access a root shell via
sudo su -
but the caveat is, once you are in the root shell using this command, there is no way that auditors can tell what commands you have executed. And since there are more than one person with this level of access privileges, if 2 people were using root shell at the same time (by the way limiting number of admin user logins is not an option) and something bad happens to the system, the question of "who to blame ?" turns into a finger pointing match. This has never happened but at least, this is the mentality why we need this accountability. Also, using powerbroker in the past saved my rear end more than once, by checking the pb.log files on the master server to figure out what went wrong. But again pb is way too expensive to deploy on all our servers.
What I am looking for by the way of sudo is:
1. user issues "sudo su -" command and gets authorized
2. sudo spawns a subshell with logging enabled as in "script" command"
3. output of the script command goes to a remote server
this approach above is one way I can envision this could be done, although quite hard.
second way I see this happen:
1. user issues "sudo su -" command and gets authorized
2. sudo allows every command typed, to go to syslog, not only failures and errors. This could even be configured by syslog.conf file but I have not investigated this option.
3. by means of syslog.conf, server sends the logs to a remote server simultaneously.
4. on remote server, a perl or similar script can be utilized to skim out the sudo directives out of the whole syslog file.
On this approach, I see a need for recompilation os sudo binaries but not being a programmer myself, I am not even sure if this mechanism can be built into the application.
Again thanks for all the responses in advance.
________________________________
UNIX because I majored in cryptology...
