In production environments there is necessity to trace what each admin did being logged on shared account e.g. sudo root account. Sudo command is used in Linux operating system to temporary access to the root privileges to normal users.
After typing su - or sudo su -. They must be logged to know what was done during this usage of root account. The below document describes the methods, first to restrict such sudo access and then (if granted on special request) to track down and maintain their logs on the server like Page Break Scenarios.

Restricting # prompt to Sudo user


Login to server on which you have to give access to.


Create normal user if not already created.


Assign password to the user.


Edit /etc/sudoers file or execute visudo.


Add following line in the file:
where test is username

test  ALL=(ALL)  ALL,! /bin/su,! /bin/vi /etc/sudoers,! /usr/sbin/visudo

Add following line at the end of file :

Defaults logfile=/var/log/sudolog

Save the changes with :wq!

Unrestricted (Full access to Sudo user) and its secondary logging


Add following lines in /root/.bashrc

# secondary logging begin
export HISTSIZE=600000
export HISTFILESIZE=600000
export HISTTIMEFORMAT="%F %T %z "
export HISTFILE=/var/log/sudousers_historylogs/root_history-$(who am i | awk '{print $1}';exit)
export PROMPT_COMMAND='history -a'
# secondary logging end

Create directory /var/log/sudousers_historylogs


Now after using sudo su - or su - from e.g. test sudo user, we have a file created in /var/log/sudousers_historylogs with name root_history-test after logging out from root account. Files are being created after we type exit to logoff from sudo root account.


Once this file is created, we will have trace of what was going on during switched to sudo root user on the servers

[root@Inde-test]#cat root_history-test
vi /root/

Now to decode the unique history timestamps (like 1435037511) logged in the file, simply run ‘date –d @’ followed by the timestamp you wish to decode. It will display the exact time during which the command was run on the server.

[root@inde-test sudousers_historylogs]# date -d @1435037511
Tue July 2 05:31:51 EST 2015

Which tells that “reboot” command was executed by the sudo user test on Tue July 2 05:31:51 EST 2015

That’s all for now.