Why did secure sudo logging change from RHEL5 to 6 for 'sudo command' after 'sudo -s' ?
Issue
- This is a
sudo
andsecure
logging change of behavior between Red Hat Enterprise Linux 5 and 6. - It has been noted that one can run any/all commands through
sudo
, even after one has donesudo -s
and gotten to aroot shell
. In other words, even after one is in aroot
shell, prefixing commands withsudo
forcessudo
to log the actual user, command and timestamp to/var/log/secure
. - However under RHEL5 such a log entry would show
sudo: realuser ... USER=root
, while under RHEL6 it recordssudo: root ... USER=root
, thereby disguising the actual user. - What has changed between RHEL5 and 6 for
sudo
andsecure
logging ? Can one make RHEL6 do the same as RHEL5 far as this goes? - Is this some kind of environment handling issue, or
sudoers
setup?
Environment
- Red Hat Enterprise Linux 6.4
sudo-1.8.6p3-7.el6.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.