sudo Logging

sudo logging

Enabling sudo logging in CentOS.

As mentioned in the introduction to sudo, the sudo command logs which users run what commands. Logging does not occur automatically. You need to set up sudo and syslogd to log commands. This involves two steps. First, you must create a sudo logfile in /var/log. Second, you must configure syslog.conf to log sudo commands. To configure sudo logging, follow these steps:

  1. Log on as root. Create a sudo log file in /var/log. Enter:
    touch /var/log/sudo
  2. Next, you need to add a line in the syslog.conf file to direct logging to your sudo logging file. Open syslog.conf by entering the following:
    vi /etc/syslog.conf
  3. Enter the following line at the end of the syslog.conf file (press i to insert text). The whitespace must be created using TAB, not the SPACE BAR.
    local2.debug /var/log/sudo
  4. This syslog.conf entry logs all successful and unsuccessful sudo commands to the /var/log/sudo file. You can also log to a network host by indicating the network host instead of a local directory.
  5. Press ESC to write and quit the file, and enter wq at the colon.
  6. Since you have modified the syslog.conf file, you need to restart syslogd. To send a HUP signal to syslogd, you must first know this sylogd process identifier (PID). To find the syslogd PID, type:
    ps aux | grep syslogd
  7. The second column lists the PID number. The last column lists the process using that PID. This is the information you need to enter the appropriate kill command and restart syslogd. Type:
    kill -HUP (PID NUMBER)
  8. First, you will generate log entries for user chris. Log on as user chris.
  9. Enter the following ifconfig commands while logged on as user chris:
    sudo -lsudo /sbin/ifconfig eth0 down
    sudo /sbin/ifconfig etho up
  10. Restart one of the httpd proceesses 9or another process of your choice) using the kill command by entering:
    ps aux | grep httpd
  11. Choose an Apache (httpd) PID from the list that appears. Enter:
    sudo kill -HUP (PID NUMBER)
  12. Now list the root user directory as user chris. Enter:
    sudo ls /root
  13. Log on as root and view the sudo log file. All the sudo commands that chris entered should be listed.
  14. You can log any root commands by simply typing sudo before each command. For example, make sure that you afre logged on as root and enter the following commands:
    sudo useradd bessie
    sudo passwd bessie
    sudo vi /hosts
  15. Access and view the sudo log by entering:
    sudo cat /var/log/sudo
    All root user entries are logged, including the cat command you just entered.

Obviously, sudo is very helpful for controlling an auditing root access. It allows a system administrator to distribute root access without giving out the root password. An administrator can control what root access is needed for each user, and can customize system access based on those needs.

External Links:

Introduction to sudo at

© 2013 David Zientara. All rights reserved. Privacy Policy