Log all root activity with original username who su'd/sudoed to root
The most robust methods seems to be auditd:
Requirement 10: Track and monitor all access to network resources and cardholder data
Auditd basically intercepts all system calls and checks them against your set of rules. So in your /etc/audit/audit.rules
file you would have something like the following:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION
The last rule being the only non-default rule.
The main drawback with this approach (and the reason I found this question while looking for alternatives) is that the raw log files are pretty cryptic and are only helpful after running the querying program on the raw log file: ausearch
An example query for that rule would be:
ausearch -ts today -k ROOT_ACTION -f audit_me | aureport -i -f
A common sense solution would probably be to create a cron that will query your raw auditd logs and then ship them off to your logging solution.
On Red Hat distros you typically use the /var/log/secure
log to identify who's been logging in or making use of sudo
on a Fedora/CentOS/RHEL system.
Examples
sudo example$ sudo -Es
log result:
su exampleSep 1 19:32:51 greeneggs sudo: saml : TTY=pts/2 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/bash
$ su -
log result:
Sep 1 19:34:49 greeneggs su: pam_unix(su-l:session): session opened for user root by saml(uid=1000)
If you have cooperating users, you can setup rootsh to log everything the root user types to syslog.
http://linux.die.net/man/1/rootsh
rootsh rpms are available in EPEL.
The version of sudo on RHEL6 is also capable of logging stdout to a file for every sudo session. Look into the sudo_plugins man page.
Neither of these approaches is completely bulletproof.