Track SUDO usage in RHEL 5

Posted on 2012-08-13
Medium Priority
Last Modified: 2012-08-14
Is there a way to do this?  Someone logged into one of our servers about 11 hours ago and sudo-ed to root and killed a bunch of stuff.  Can I run a command or check a log to see what users actually sudo-ed?
Question by:sedberg1
1 Comment

Accepted Solution

theraff earned 2000 total points
ID: 38288567
Short answer: Yes, their authentication will be logged in /var/log/messages. The command they issued will probably be logged along with their username in /var/log/secure

Long answer: Depending on your particular logging setup, sudo access might be redirected to a remote syslog / syslog-ng server (good practice).

WARNING: if you suspect that your company will want to do anything remotely legal with this information once you get it, then stop what you're doing straight away! You need to begin a proper forensic investigation of the system and methodically collect data, starting with the most volatile. (Eg: You have to make hashes file, build a timeline of events from data in log files, MAC times on files etc.). This information must be stored securely. If you don't do this then it may be impossible to pursue any legal action. If you think it's unlikely that your company will bother prosecuting, and you only want to find the culprit so you can give them a slap somebody on the wrist or some "training", then you can can just poke around in the /var/log/* files until you find what you want.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question