Why did secure sudo logging change from RHEL5 to 6 for 'sudo command' after 'sudo -s' ?

Solution Verified - Updated -


  • This is a sudo and secure logging change of behavior between Red Hat Enterprise Linux 5 and 6.
  • It has been noted that one can run any/all commands through sudo, even after one has done sudo -s and gotten to a root shell. In other words, even after one is in a root shell, prefixing commands with sudo forces sudo to log the actual user, command and timestamp to /var/log/secure.
  • However under RHEL5 such a log entry would show sudo: realuser ... USER=root, while under RHEL6 it records sudo: root ... USER=root, thereby disguising the actual user.
  • What has changed between RHEL5 and 6 for sudo and secure logging ? Can one make RHEL6 do the same as RHEL5 far as this goes?
  • Is this some kind of environment handling issue, or sudoers setup?


  • Red Hat Enterprise Linux 6.4
  • sudo-1.8.6p3-7.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In