HPE Community
Operating System - Linux
1756778 Members
3291 Online
108852 Solutions
New Discussion юеВ

Sudo Log

 
SOLVED
Go to solution
Waqar Razi
Regular Advisor

тАО08-04-2009 09:11 AM

тАО08-04-2009 09:11 AM

Sudo Log

I need a suggestion. We are enabling sudo access to our servers. Does sudo offers any type of logging? How can we enable that in RHEL?

I have another question. Lets say we have granted some users root access using sudo like sudo su -. Is there any way, we can monitor that user activity after he has switched to root using sudo su -
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

тАО08-04-2009 09:22 AM

тАО08-04-2009 09:22 AM

Re: Sudo Log

Shalom,

http://linux.about.com/od/commands/l/blcmdl8_sudo.htm

By default sudo logs to /var/log/messages or whatever syslog is set to.

It can be configured to use its own log file.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Waqar Razi
Regular Advisor

тАО08-04-2009 09:23 AM

тАО08-04-2009 09:23 AM

Re: Sudo Log

Do you know how can we setup it in /etc/sudoers file?
0 Kudos
Reply
Waqar Razi
Regular Advisor

тАО08-04-2009 09:57 AM

тАО08-04-2009 09:57 AM

Re: Sudo Log

I have setup /var/log/sudo.log for logging sudo activities. I have the following questions now:

1- After switching to sudo root access by using sudo su -, I can see the switch in the /var/log/sudo.log file:

Aug 4 13:49:40 : t-aabb : TTY=pts/1 ; PWD=/home/t-aabb ; USER=root ;
COMMAND=/bin/su -

But after that, sudo.log is not logging any activities performed by user imran as root. For instance, lets say the user now issues shutdown -r now command after switching to root using sudo su -, How can I configure sudo to log these activities as well.

0 Kudos
Reply
Jeff_Traigle
Honored Contributor

тАО08-04-2009 11:20 AM

тАО08-04-2009 11:20 AM

Solution

Re: Sudo Log

You can't. Sudo will only log the command it allows. If "su -" is allowed, sudo won't know anything about it and won't log it. Some system command auditing is needed... preferably one that has a facility to log remotely to a system the user doesn't have the ability to potential access and modify log records. Relying on shell histories and local logs, especially when allowing a root shell, isn't very effective. :)
--
Jeff Traigle
Reply
Jeff_Traigle
Honored Contributor

тАО08-04-2009 11:21 AM

тАО08-04-2009 11:21 AM

Re: Sudo Log

That should read:

If "su -" is allowed, sudo won't know anything beyond that and won't log the shell activity.
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.