Log all sudo commands by each user as root

Latest response

We have the need to log every command run as root by each user to that did a "sudo su -" to root.

Easy way to do this? Yes, I can look at .bash_history for root, but I need to see who was sudo'd to root and what did each person run as root.

Thank you.

Responses

Edit the sudoers file by running visudo and add the lines in the default section

Defaults logfile=/var/log/sudo and now you can find all the commands entered by SUDO user will be logged in /var/log/sudo

Thanks, but that shows me the same thing I already see in /var/log/secure. It shows:

May 5 08:14:49 : username : TTY=pts/2 ; PWD=/home/username ; USER=root ;

COMMAND=/bin/su -

It doesn't show the commands the person is running as root.

Hi Gary,

The proper solution in this special case is to enable auditing.

There are other options that could help, but they are just workarounds. Take a look at some very creative possibilities:

https://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers

Regards,

Dusan Baljevic (amateur radio VK2COT)

To clarify simple method:

a) Add the following into /root/.bashrc

export HISTTIMEFORMAT="%Y-%m-%d %T "
export PROMPT_COMMAND='trap "" 1 2 15; history -a >(tee -a ~/.bash_history | while read line; do if [[ $line =~ ^#[0-9]*$ ]]; then continue; fi; logger -p user.info -t "bash[$$]" "($USER:${SUDO_USER}: $line)"; done); trap 1 2 15;

b) Log in as normal user and execute "sudo -i", then run any commands.

c) All superuser commands will be immediately logged in /var/log/messages with correct username who executed them:

May 6 09:45:15 myserv bash[98070]: (root:myusername: ps)
May 6 09:45:25 myserv bash[98070]: (root:myusername: whoami)
May 6 09:45:37 myserv bash[98070]: (root:mysername: cat .bashrc)

Best wishes,

Dusan Baljevic (amateur radio VK2COT)

Hello Gary,

Adding to the above points suggested by Dusan, I'd recommend that let other users run any privileged command using 'sudo' only and which is a standard approach, and let them not change the identity to root by doing 'sudo su -'. So, this way you could get to audit all sudo commands run by any users using auditd method. I guess this is possible by making some changes to the /etc/sudoers file or otherwise, under /etc/sudoers.d/ directory.

Hope this helps!