Why did secure sudo logging change from RHEL5 to 6 for 'sudo command' after 'sudo -s' ?

Solution Verified - Updated -

Issue

  • This is a sudo and secure logging change of behavior between Red Hat Enterprise Linux 5 and 6.
  • It has been noted that one can run any/all commands through sudo, even after one has done sudo -s and gotten to a root shell. In other words, even after one is in a root shell, prefixing commands with sudo forces sudo to log the actual user, command and timestamp to /var/log/secure.
  • However under RHEL5 such a log entry would show sudo: realuser ... USER=root, while under RHEL6 it records sudo: root ... USER=root, thereby disguising the actual user.
  • What has changed between RHEL5 and 6 for sudo and secure logging ? Can one make RHEL6 do the same as RHEL5 far as this goes?
  • Is this some kind of environment handling issue, or sudoers setup?

Environment

  • Red Hat Enterprise Linux 6.4
  • sudo-1.8.6p3-7.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.