LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-24-2013, 09:26 AM   #1
hvwolfman
LQ Newbie
 
Registered: May 2013
Posts: 1

Rep: Reputation: Disabled
Track userid of person using sudo


I am trying to see if there is a way to tell what user used sudo to do work on the server. I need to know if there is a log file that has the userid of the person who invoked sudo to make changes in the system.

Thanks
 
Old 05-24-2013, 09:58 AM   #2
bloodstreetboy
Member
 
Registered: May 2012
Posts: 200
Blog Entries: 3

Rep: Reputation: 37
It is hard to know but you can search keyword sudo in .bash_history of all users, it will give you the list.
As well as you can save their history in separate files(make a cron job for it) so if they delete their history even you can know who has used sudo.
 
Old 05-24-2013, 10:40 AM   #3
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Sudo log file is typically find as /var/adm/sulog or it could exist as /var/log/sudo.log.

Also you can check /etc/sudoers file and check who're there and what access they have.

Further, if you want to check what sudo privilage a user has, just invoke:
Code:
~$ sudo -l

Last edited by shivaa; 05-24-2013 at 10:46 AM. Reason: Command added
 
Old 05-24-2013, 10:55 AM   #4
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,896

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
You may also have file /var/log/auth.log which will show which users use sudo.
 
1 members found this post helpful.
Old 05-24-2013, 12:07 PM   #5
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 5,844
Blog Entries: 12

Rep: Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010
By the way, who says that someone has to use sudo to make changes to your server? What if they already know the root password?
 
1 members found this post helpful.
Old 05-24-2013, 07:01 PM   #6
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,896

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
@rtmistler
Quote:
By the way, who says that someone has to use sudo to make changes to your server? What if they already know the root password?
/var/log/auth.log will still show the name of the user who logged in as root user, or who used sudo.

Last edited by bigrigdriver; 05-24-2013 at 07:02 PM.
 
Old 05-25-2013, 02:23 AM   #7
fortran
Member
 
Registered: Nov 2011
Location: Cairo, Egypt
Distribution: CentOS, RHEL, Fedora
Posts: 300
Blog Entries: 2

Rep: Reputation: 51
As bigrigdriver suggested
Quote:
Originally Posted by bigrigdriver View Post
You may also have file /var/log/auth.log which will show which users use sudo.
As you didn't mention your distro, just for your information
In centOS/fedora/RHEL filename is
Quote:
/var/log/secure
 
Old 05-28-2013, 08:23 AM   #8
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 5,844
Blog Entries: 12

Rep: Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010Reputation: 2010
Quote:
/var/log/auth.log will still show the name of the user who logged in as root user, or who used sudo.
Yep, auth.log shows when root logged in or sudo...

Code:
root@desktop:/home/user# cat /var/log/auth.log
May 28 08:12:20 desktop sudo:   user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 28 08:12:25 desktop su[6137]: Successful su for root by user
May 28 08:12:25 desktop su[6137]: + /dev/pts/1 user:root
May 28 08:12:25 desktop su[6137]: pam_unix(su:session): session opened for user root by root(uid=1001)
Lookee what I can do...

Code:
root@desktop:/home/user# vi /var/log/auth.log
Guess what auth.log contains now that I've edited it...

Code:
root@desktop:/home/user# cat /var/log/auth.log
At this point I wonder what the original requesting person's intentions were. To spy, to monitor, or to administer in some fashion. I mean, there's a lot more to system/network security other than determining who has performed a sudo command to reconfigure something.
 
1 members found this post helpful.
Old 05-28-2013, 08:43 AM   #9
eklavya
Member
 
Registered: Mar 2013
Posts: 622

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by rtmistler View Post

Code:
root@desktop:/home/user# vi /var/log/auth.log
Guess what auth.log contains now that I've edited it...
But you are logged in as a root and here we are talking about user updates the file or not.
You have taken example of command line using vi, that is really good to explain my point.

If you are a user, you need to use sudo again to remove contents of the file and once you use sudo, it makes an entry in auth.log so next time when you open the file, you see user has edited the file auth.log, something like this.
Code:
May 28 18:05:23 user-desktop sudo:     user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/nano /var/log/auth.log
If you edit this line, next time when you open the file and it shows about your previous editing using sudo.
It means you can't remove your last activity (especially if you have edited auth.log).

It means admin can know about user's act that user has done something inappropriate that's why he/she has removed the entry from auth.log
 
Old 05-28-2013, 09:07 AM   #10
bloodstreetboy
Member
 
Registered: May 2012
Posts: 200
Blog Entries: 3

Rep: Reputation: 37
Quote:
Originally Posted by rtmistler View Post
At this point I wonder what the original requesting person's intentions were. To spy, to monitor, or to administer in some fashion. I mean, there's a lot more to system/network security other than determining who has performed a sudo command to reconfigure something.
That's why in large and professional organizations, they never give sudo facility to users.

If user tries to use sudo, it says
Code:
username is not in the sudoers file. This incident will be reported.
You have to request by mail to perform your task. Then admin does it for you.
They prefer delay than the damage.
 
1 members found this post helpful.
Old 05-28-2013, 03:14 PM   #11
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: OSX Sierra
Posts: 8,576
Blog Entries: 15

Rep: Reputation: Disabled
Quote:
Originally Posted by bloodstreetboy View Post
users.
Great, now they are awake.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: effective uid is not 0, is sudo installed setuid root? awladnas Linux - Newbie 10 08-30-2014 07:03 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
Unable to redirect all sudo messages to /var/log/sudo driftwood Linux - Server 2 10-18-2012 05:34 AM
LXer: Track Me! Just Track Me, GNOME Project! LXer Syndicated Linux News 0 03-02-2011 02:41 AM
track sudo user mikeshn Linux - General 2 10-28-2003 08:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration