Auditing sudo logs is a critical skill for any Linux administrator. It allows you to see exactly who did what and when.
Here are the most effective ways to audit sudo logs:
1. The Main Log File: /var/log/auth.log
In Ubuntu and Debian-based systems (like the LabEx VM), all authentication events—including every sudo command—are recorded here.
To see the most recent sudo activities, run:
sudo grep "sudo" /var/log/auth.log | tail -n 20This shows you the timestamp, the user who ran the command, and the exact command they executed.
2. Monitoring in Real-Time
If you want to watch what users are doing as they do it, use the tail -f command:
sudo tail -f /var/log/auth.log | grep sudoKeep this window open, and every time someone uses sudo in another terminal, it will pop up here instantly.
3. Using journalctl (The Modern Way)
On modern Linux systems using systemd, logs are managed by the journal. This is often cleaner and easier to search than raw text files.
- View all sudo-related logs:
sudo journalctl _COMM=sudo - View logs from today only:
sudo journalctl _COMM=sudo --since today
4. Searching for a Specific User
If you want to audit the actions of a specific user (like joker), you can combine grep with the log file:
sudo grep "joker" /var/log/auth.log | grep "COMMAND"5. What to Look For (Security Red Flags)
When auditing, keep an eye out for these suspicious activities:
- Failed Sudo Attempts: Look for "authentication failure" or "user NOT in sudoers". This might indicate someone is trying to guess a password or escalate their privileges.
- Usage of
sudo suorsudo -i: These commands give a user a root shell. Once they are "root," their individual commands might not be logged individually inauth.loganymore, which is a major auditing gap. - Unusual Commands: Watch for commands like
chmod 777on system files or unauthorized installations.
Summary: The "Pro" Checklist
| Goal | Command |
|---|---|
| Quick check | sudo grep sudo /var/log/auth.log |
| Real-time monitor | sudo tail -f /var/log/auth.log | grep sudo |
| Filtered history | sudo journalctl _COMM=sudo |
By regularly checking these logs, you ensure accountability—one of the key reasons mentioned in your lab for using the sudo group instead of the root account!
