On Mon, Dec 19, 2016 at 3:12 PM, Michael MacIsaac <[email protected]> wrote:
> # env | grep mike > USER=mike > ... > # sudo -i > mike's password: > # env | grep mike > SUDO_USER=mike <audit trail is preserved> > # su - zadmin > env | grep mike > <no output - audit trail is lost> > > Please don't say just don't allow root to su to another user - it is > necessary. What I want is to preserve the SUDO_USER value with the initial > login ID no matter how many times su is used. > > Any thoughts would be appreciated. > Hi Mike, SUDO_USER is only a helper, relying on it appears too brittle to me. You might loose the environment intentionally or unintentionally anyway. Especially for any real malicious attempt. E.g.: $ echo $USER paelzer $ sudo -i root@lap:~# env | grep paelzer SUDO_USER=paelzer root@lap:~# unset SUDO_USER root@lap:~# env | grep paelzer # no "tracking" here anymore IMHO - auditd is the infrastructure for this job. It has some painful configuration depending on what you want but it is what is meant to do the task you asked for. I'm no expert on this, but this seems to be a good starter for your case: http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers/475134#475134 P.S. be aware such auditing come at an overhead -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
