Re: How to track down which commands sudoers set up?

["Peter Morgan" <peterjmorgan () gmail com>]

Are you referring to the commands issued by a user with SUDO
privileges, or someone that issued the su command to change from the
current user to a UID of 0 (root)?

In the first case, (on my Ubuntu Dapper system) you can look in the
auth.log, it will list what command the user issued through sudo.  If
you can't find the logfile, try this:

bash-$ grep -ilr sudo /var/log

and that should find what file on your system houses the logs for sudo.

In the second case, I do not believe there exists a default facility
in linux to track what commands a user issued when having su'ed to
root.  The best you could do is copy the shell history file from /root
and analyze what is left of that.  If the user was doing something
malicious (or something they didn't want logged) they likely would
have erased those entries in the shell history file.

Hope this helps,

Peter

On 6/13/06, Jannis Kafkoulas <kajannis () web de> wrote:
> Hello,
>
> I'd like to find out what exactly any user did after they turned to superuser
> and when exactly each cmd was processed (in a Linux box).
>
> Can someone help me managing this?
>
> Many thanks
>
> Jannis
> ______________________________________________________________
> Verschicken Sie romantische, coole und witzige Bilder per SMS!
> Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193