Christian,
Thanks for the quick reply. That is good input.
-Mike
On Mon, Dec 19, 2016 at 9:28 AM, Christian Ehrhardt <
[email protected]> wrote:
> On Mon, Dec 19, 2016 at 3:12 PM, Michael MacIsaac <[email protected]>
> wrote:
>
> > # env | grep mike
> > USER=mike
> > ...
> > # sudo -i
> > mike's password:
> > # env | grep mike
> > SUDO_USER=mike <audit trail is preserved>
> > # su - zadmin
> > env | grep mike
> > <no output - audit trail is lost>
> >
> > Please don't say just don't allow root to su to another user - it is
> > necessary. What I want is to preserve the SUDO_USER value with the
> initial
> > login ID no matter how many times su is used.
> >
> > Any thoughts would be appreciated.
> >
>
> Hi Mike,
> SUDO_USER is only a helper, relying on it appears too brittle to me.
> You might loose the environment intentionally or unintentionally anyway.
> Especially for any real malicious attempt.
> E.g.:
> $ echo $USER
> paelzer
> $ sudo -i
> root@lap:~# env | grep paelzer
> SUDO_USER=paelzer
> root@lap:~# unset SUDO_USER
> root@lap:~# env | grep paelzer
> # no "tracking" here anymore
>
> IMHO - auditd is the infrastructure for this job.
> It has some painful configuration depending on what you want but it is what
> is meant to do the task you asked for.
>
> I'm no expert on this, but this seems to be a good starter for your case:
> http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-
> production-servers/475134#475134
>
> P.S. be aware such auditing come at an overhead
>
>
> --
> Christian Ehrhardt
> Software Engineer, Ubuntu Server
> Canonical Ltd
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/