We help IT Professionals succeed at work.

audit logs while  doing sudo

sabirkk
sabirkk asked
on
hi guys

        hi i have scenario like i have two user like (aaa and bbb ) , i am login as aaa and sudo su -u bbb.
now how the audit log will be logged ( mean  in the name aaa  or bbb ).

Please give me expert comment on this .....
Comment
Watch Question

So it is stored in /var/log/secure

I just used sudo su -

I found this entry

Dec  4 16:36:15 MY_Server_NAME sudo:   MY_USER_NAME : TTY=pts/1 ; PWD=/home/MY_USER_NAME ; USER=root ; COMMAND=/bin/su -
In general, you will have to look for the word 'sudo' in /var/log/secure

Author

Commented:


because initially i am login as aaa then i am sudo su - bbb  to bbb environment .

so the activity will be logged as whom aaa or bbb ?

It provides both.  If you carefully look at the log line, you see it gives you the command you used

Take a look:
Initial User is bolded
Dec  4 16:36:15 MY_Server_NAME sudo:   MY_USER_NAME : TTY=pts/1 ; PWD=/home/MY_USER_NAME ; USER=root ; COMMAND=/bin/su -

Final User is bolded
Dec  4 16:36:15 MY_Server_NAME sudo:   MY_USER_NAME : TTY=pts/1 ; PWD=/home/MY_USER_NAME ; USER=root ; COMMAND=/bin/su -

Command tells what command the initial user issued to become a final user.

Author

Commented:
ok , the command issued after the su ( i mean after switching to bbb) , Will it logged as bbb??
Only the sudo commands are logged.

So if you were logged on as aaa and then switched to bbb using,

sudo su - bbb

Then you will have an entry like
Dec  4 16:36:15 MY_Server_NAME sudo:   aaa : TTY=pts/1 ; PWD=/home/MY_USER_NAME ; USER=bbb ; COMMAND=/bin/su - bbb

Once it switches to bbb, the commands issued as bbb will not be stored in /var/log/secure.  They will be logged in the history file of bbb, if it is correctly configured.