cancel
Showing results for 
Search instead for 
Did you mean: 

Sudo Log

 
SOLVED
Go to solution
Waqar Razi
Regular Advisor

Sudo Log

I need a suggestion. We are enabling sudo access to our servers. Does sudo offers any type of logging? How can we enable that in RHEL?

I have another question. Lets say we have granted some users root access using sudo like sudo su -. Is there any way, we can monitor that user activity after he has switched to root using sudo su -
5 REPLIES
Steven E. Protter
Exalted Contributor

Re: Sudo Log

Shalom,

http://linux.about.com/od/commands/l/blcmdl8_sudo.htm

By default sudo logs to /var/log/messages or whatever syslog is set to.

It can be configured to use its own log file.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Waqar Razi
Regular Advisor

Re: Sudo Log

Do you know how can we setup it in /etc/sudoers file?
Waqar Razi
Regular Advisor

Re: Sudo Log

I have setup /var/log/sudo.log for logging sudo activities. I have the following questions now:

1- After switching to sudo root access by using sudo su -, I can see the switch in the /var/log/sudo.log file:

Aug 4 13:49:40 : t-aabb : TTY=pts/1 ; PWD=/home/t-aabb ; USER=root ;
COMMAND=/bin/su -

But after that, sudo.log is not logging any activities performed by user imran as root. For instance, lets say the user now issues shutdown -r now command after switching to root using sudo su -, How can I configure sudo to log these activities as well.

Jeff_Traigle
Honored Contributor
Solution

Re: Sudo Log

You can't. Sudo will only log the command it allows. If "su -" is allowed, sudo won't know anything about it and won't log it. Some system command auditing is needed... preferably one that has a facility to log remotely to a system the user doesn't have the ability to potential access and modify log records. Relying on shell histories and local logs, especially when allowing a root shell, isn't very effective. :)
--
Jeff Traigle
Jeff_Traigle
Honored Contributor

Re: Sudo Log

That should read:

If "su -" is allowed, sudo won't know anything beyond that and won't log the shell activity.
--
Jeff Traigle