Log all root activity with original username who su'd/sudoed to root

The most robust methods seems to be auditd:

Requirement 10: Track and monitor all access to network resources and cardholder data

Auditd basically intercepts all system calls and checks them against your set of rules. So in your /etc/audit/audit.rules file you would have something like the following:

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
-a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION

The last rule being the only non-default rule.

The main drawback with this approach (and the reason I found this question while looking for alternatives) is that the raw log files are pretty cryptic and are only helpful after running the querying program on the raw log file: ausearch

An example query for that rule would be:

ausearch -ts today -k ROOT_ACTION -f audit_me | aureport -i -f

A common sense solution would probably be to create a cron that will query your raw auditd logs and then ship them off to your logging solution.

On Red Hat distros you typically use the /var/log/secure log to identify who's been logging in or making use of sudo on a Fedora/CentOS/RHEL system.

Examples

sudo example

$ sudo -Es

log result:

Sep 1 19:32:51 greeneggs sudo: saml : TTY=pts/2 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/bash

su example

$ su -

log result:

Sep 1 19:34:49 greeneggs su: pam_unix(su-l:session): session opened for user root by saml(uid=1000)

If you have cooperating users, you can setup rootsh to log everything the root user types to syslog.

http://linux.die.net/man/1/rootsh

rootsh rpms are available in EPEL.

The version of sudo on RHEL6 is also capable of logging stdout to a file for every sudo session. Look into the sudo_plugins man page.

Neither of these approaches is completely bulletproof.