Hi Justin
I read the following on the sudo user mailing list:
https://www.sudo.ws/mailman/listinfo/sudo-usersThread:
https://www.sudo.ws/pipermail/sudo-users/2012-February/004922.html
> I am testing out the logging features of version 1.8.3 and so far
> the only question I have is when a user does a sudo su - how come
> all the commands are not still logged. I see the sudo su part in
> the logs but thats it. We regularly have to sudo from our personal
> account in to another users account and due to that we need to first
> sudo su - to get in to root.
Once you run a shell sudo cannot log the individual commands you
run. If you have log_output enabled you can see the output of the
session, including the commands run, but the individual commands
are not logged separately. You can, however, use sudo to run
commands as another user directly. E.g. sudo -u other_user command.
------------------------------
Jan Harris
------------------------------
Original Message:
Sent: Thu August 19, 2021 10:18 AM
From: Justin Reddell
Subject: Sudo Logging after sudo to a user
Hello everyone,
I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user. It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command. Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"? If so could you provide any guidance on the subject, maybe I am just missing a key step.
Thanks,
Justin
------------------------------
Justin Reddell
------------------------------