Track SUDO usage in RHEL 5

Is there a way to do this?  Someone logged into one of our servers about 11 hours ago and sudo-ed to root and killed a bunch of stuff.  Can I run a command or check a log to see what users actually sudo-ed?
Who is Participating?
theraffConnect With a Mentor Commented:
Short answer: Yes, their authentication will be logged in /var/log/messages. The command they issued will probably be logged along with their username in /var/log/secure

Long answer: Depending on your particular logging setup, sudo access might be redirected to a remote syslog / syslog-ng server (good practice).

WARNING: if you suspect that your company will want to do anything remotely legal with this information once you get it, then stop what you're doing straight away! You need to begin a proper forensic investigation of the system and methodically collect data, starting with the most volatile. (Eg: You have to make hashes file, build a timeline of events from data in log files, MAC times on files etc.). This information must be stored securely. If you don't do this then it may be impossible to pursue any legal action. If you think it's unlikely that your company will bother prosecuting, and you only want to find the culprit so you can give them a slap somebody on the wrist or some "training", then you can can just poke around in the /var/log/* files until you find what you want.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.