Track SUDO usage in RHEL 5

Posted on 2012-08-13
Last Modified: 2012-08-14
Is there a way to do this?  Someone logged into one of our servers about 11 hours ago and sudo-ed to root and killed a bunch of stuff.  Can I run a command or check a log to see what users actually sudo-ed?
Question by:sedberg1
    1 Comment
    LVL 1

    Accepted Solution

    Short answer: Yes, their authentication will be logged in /var/log/messages. The command they issued will probably be logged along with their username in /var/log/secure

    Long answer: Depending on your particular logging setup, sudo access might be redirected to a remote syslog / syslog-ng server (good practice).

    WARNING: if you suspect that your company will want to do anything remotely legal with this information once you get it, then stop what you're doing straight away! You need to begin a proper forensic investigation of the system and methodically collect data, starting with the most volatile. (Eg: You have to make hashes file, build a timeline of events from data in log files, MAC times on files etc.). This information must be stored securely. If you don't do this then it may be impossible to pursue any legal action. If you think it's unlikely that your company will bother prosecuting, and you only want to find the culprit so you can give them a slap somebody on the wrist or some "training", then you can can just poke around in the /var/log/* files until you find what you want.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    The purpose of this article is to demonstrate how we can use conditional statements using Python.
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now