On Mon, Dec 19, 2016 at 3:12 PM, Michael MacIsaac <[email protected]>
wrote:

> # env | grep mike
> USER=mike
> ...
> # sudo -i
> mike's password:
> # env | grep mike
> SUDO_USER=mike  <audit trail is preserved>
> # su - zadmin
> env | grep mike
> <no output - audit trail is lost>
>
> Please don't say just don't allow root to su to another user - it is
> necessary.  What I want is to preserve the SUDO_USER value with the initial
> login ID no matter how many times su is used.
>
> Any thoughts would be appreciated.
>

Hi Mike,
SUDO_USER is only a helper, relying on it appears too brittle to me.
You might loose the environment intentionally or unintentionally anyway.
Especially for any real malicious attempt.
E.g.:
$ echo $USER
paelzer
$ sudo -i
root@lap:~# env | grep paelzer
SUDO_USER=paelzer
root@lap:~# unset SUDO_USER
root@lap:~# env | grep paelzer
# no "tracking" here anymore

IMHO - auditd is the infrastructure for this job.
It has some painful configuration depending on what you want but it is what
is meant to do the task you asked for.

I'm no expert on this, but this seems to be a good starter for your case:
http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers/475134#475134

P.S. be aware such auditing come at an overhead


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to