I know logging in with root is not recommended but i have to find solution that which sysadmins log in with root and change configuration

did you check the command last already?

yes but does not helpful for that situation
imagine we have 3 users that are sysadmin,every sysadmin log in with root and change something or modify configuration or anything,i want to find out each modification for which sysadmin user

Think about what you just wrote. If all three people log in as the same user ID (root), then how, exactly, do you think you can tell them apart? Again, logging in as root on ANYTHING but the console is a horribly bad idea, and there is *NO REASON* to do this, at all, ever. Your sysadmins can log in as their regular users, then use sudo or su to get root privileges as needed. You can then look at command history, times/dates of logins, etc., to see who did what. You can ALSO (better) change the root password to something that only YOU know, and let them use SUDO...which will log every command back to their user ID's. They can do anything, but everything will be logged.

And nothing you do is going to have any impact on anything, since (if you have root access), you can wipe out ANY trace of anything you did, leaving you as much in the dark as you are now. Either hire admins you trust, or get rid of ones you don't.

Yes i know but i have to find or make an architecture that monitors root activity
using sudo and wheel group is recommended by red hat official books and i know root user can do anything

Again: **ONCE YOU HAVE ROOT, YOU CAN DO ANYTHING**. This includes (AGAIN) erasing any traces of whatever you did. In short, you CANNOT DO what you're asking to do, period. Again, you restrict access to root ONLY to the system console, period...you DO NOT log in as root over the network. You keep the root password to yourself, and put any other admins in the wheel group, and grant them sudo access. You now have ANY root level commands run tied to a specific user ID, which is what you want.

If you want to be secure, you limit what those users can do; make sure they can't change the root password, remove/edit wtmp or history/logs for sudo, etc. They then can't erase traces of what they did. More secure? Then mirror your logs to a centralized syslog server, which no one but you has access to.

This is sounding very much like a homework question.

AGAIN I KNOW YOUR INTENTION but i have to make an architecture for this situation because of CEO requests this situation
I don't care my problems sounds what,I only wanna to solve problem

but you need to understand how it works.
We cannot make an architecture for you, we can only help you to solve your problem.
At first you must not give root account to anyone. Next, you [may] need to configure sudo to allow some people to execute some apps. That can be logged easily.
But you - and again, nobody - can control the root user, because root have the power to do anything, including the modification of the system and removing anything (like logs) - or disabling monitoring.
So the best thing you can do is to do not allow to be root for anyone - but give permissions for specific tasks (with sudo or something similar).

2 members found this post helpful.

Then you need to explain to your CEO why what they want is impossible, period. There is no magic solution to do what you want, and there never will be.

And if your company's security practices are so bad that multiple people log in as root over the network, you've got bigger issues to deal with. We know what you want; you are not understanding what you're being told in regards to it, and it can't be explained any simpler. If you truly don't understand why what you're asking is impossible, then you need to give this job to one of your co-workers who does understand it.

1 members found this post helpful.

Log in as root yourself, change the password, and don't give it to un-trustworthy admins. Done.

Configure permissions for such accounts that allow these other admins to do their work, but not "change configuration".

1 members found this post helpful.

If your CEO absolutely must have something, then Google for "Privileged Access Management" and prepare to fork over loads of cash for something like CyberArk or Centrify that will (a) make it much harder to get any real work done, and (b) provide dubious benefits and yet another set of potential security problem (what happens if someone gains unauthorized access to the manager console?). Or you can listen to the good advice given on this thread regarding *not letting people log in as root over the network*.

For a less fancy options for after-the-fact auditing, you can:

a. Configure auditd and export the audit logs (and syslogs) off box to a secure remote server.
b. Don't give anyone whose actions are being audited access to the server from a, and hope no one breaks in.

2 members found this post helpful.