How to log commands within a "sudo su -"?

Since you are on Ubuntu 12.04, have a look at the I/O logging abilities activated via the log_input and log_output options.

log_input

If set, sudo will run the command in a pseudo tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file.

Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with TSID=. The iolog_file option may be used to control the format of the session ID.

Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will be stored in the log file unencrypted. In most cases, logging the command output via log_output is all that is required.

log_output

If set, sudo will run the command in a pseudo tty and log all output that is sent to the screen, similar to the script(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in separate log files.

Output is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with TSID=. The iolog_file option may be used to control the format of the session ID.

Output logs may be viewed with the sudoreplay(8) utility, which can also be used to list or search the available logs.

IMPLEMENTATION: Sudo version at least: 1.7.4p4 needed.

/etc/sudoers modifcation: All you need to do is to add two tags to all required sudoers entries (where "su" specified, either with command or alias). LOG_INPUT and LOG_OUTPUT.

Example:

%admins         ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL

Add the following default log dir structure to sudoers:

Defaults iolog_dir=/var/log/sudo-io/%{user}

Your grep when doing sudo su - fails because you're not running echo 1234567zz, you're running su -, which launches a shell. The shell is then running your echo.

This is deliberate, and logging every single command run would flood your syslog with useless info (there are usually tons of programs that get run behind the scenes that you don't normally see).

If you change your grep to grep 'COMMAND=/bin/su -' * you'll see it.

---

sudo su - is also a useless use of su. sudo -i does the same thing.

In increasing complexity, here's three ways of logging the commands issued within the "sudo su -":

1. Rely on bash command history
2. Install an execve logging wrapper
3. Use SELinux's auditd

As to which is suitable, it really depends on what you're trying to accomplish with the logging.

1) Bash Command History

You would want to configure the history facitlity to ensure keeping sufficient lines, not overwriting from different sessions, not ignoring commands, and appropriate timestamps. (See HIST* variables in the bash manual). Easily subverted by editing the history file, manipulating environment or running another shell.

2) execve wrapper

Snoopy Logger is one. Add a check in /etc/profile that the logger library is in the process's memory map (/proc/<pid>/maps), and if not, set LD_PRELOAD and restart (with exec $SHELL --login "$@"). Alternately you may add an entry to /etc/ld.so.preload with $LIB/snoopy.so or equivalent path(s) to your 32/64-bit versions of snoopy.so.

Though more difficult, the LD_PRELOAD environment variable version of the above could still be subverted by manipulating execution environment so that the snoopy code no longer runs.

Syslog should be sent off-box for contents to be trustworthy.

3) auditd

Slightly more straightforward to configure than the execve wrapper, but harder to extract the information from. This is the answer the question you're likely really asking: "Is there a way to log what effect the user has had on a system after they issue sudo su -". Syslog should be sent off-box for contents to be trustworthy.

This Serverfault answer appears to be a fairly comprehensive configuration for use with auditd.

There are some other suggestions to a similar question on serverfault.