Hi,
new audit-requirements came up (yeah EU-GDPR and its requirement for acccountability who did when what when dealing with personal data) and now I try to figure out, how I can log what the root-user is doing, especially when an admin is doing sudo su. As I noticed certain commands like "cd" won't work with sudo when I try to enter a directory with a user that doesn't have permissions to enter it. Thus I see only sudo su as the only way to do that (or "su" for that matter). But at that moment I need to be able to tell what the root-user did. I tried using auditd but even a root:all in the audit-control-file didn't bring anything up. And accounting and lastcomm shows me the commands root ran but not the arguments. What can I do?
new audit-requirements came up (yeah EU-GDPR and its requirement for acccountability who did when what when dealing with personal data) and now I try to figure out, how I can log what the root-user is doing, especially when an admin is doing sudo su. As I noticed certain commands like "cd" won't work with sudo when I try to enter a directory with a user that doesn't have permissions to enter it. Thus I see only sudo su as the only way to do that (or "su" for that matter). But at that moment I need to be able to tell what the root-user did. I tried using auditd but even a root:all in the audit-control-file didn't bring anything up. And accounting and lastcomm shows me the commands root ran but not the arguments. What can I do?