[SGVLUG] Security/auditing and the "sudo" log

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Mon Mar 2 10:24:44 PST 2009


The subject of "su" and "sudo" came up at work today, in particular the
fact that "su" logs (at best) the fact that someone switched to a
different ID, but not what they did as that user.  On the other hand,
"sudo" logs each command.

I couldn't find much on the format of this log (at least, with the
5-minute search of google)  there is a wikipedia page with "an example",
but that certainly isn't exhaustive; most of the other search results
were posts to message lists like this one asking the same question (and
getting no response, which is no help either)

Who around here uses this (religiously) AND reviews the log file on a
regular basis - how easy is it to spot intentional attempts to do
something potentially dangerous vs. fat-fingering a password or command?
What actions do you take when you find a violation or possible
"infiltrator"?

Tom

P.s. of course, I'm in a "need this info now" situation, but I'm also
thinking this might make an intersting 15-minute presentation at our
regular meeting.


More information about the SGVLUG mailing list