How to Review sudo Command Usage on Linux

That sudo Command gives a user superuser or root privileges. No doubt you gave them the “With great power comes great responsibility” speech. How to check if they were listening or not.

The sudo command

That sudo Command stands for “substitute user do”. It lets an authorized person run a command as if they were another user. It can take command line parameters, one of which is the name of the user to run the command as. The most common way sudo is used is to omit the command line options and use the default action. This effectively runs the command as the root user.

To use sudo in this way requires a special permit. Only the privileged can use sudo. If you’re installing a modern Linux distribution, you’ll be prompted to set up a root password that you can use sudo. Permission to do this is granted to the regular user that you create during installation. This is the preferred method of handling access to the root user’s capabilities. The old way was to create a root user and login as that to manage your system.

This was a dangerous scenario. It was easy to forget — or be too lazy to do it — to log out as a normal user and log back in when you no longer needed root privileges. Any mistakes you made in the terminal window as root would be executed, no matter how drastic. Things that would be blocked by the shell if a normal user tried would unquestionably be executed when root requested them. Using the root account instead of a regular account is also a security risk.

Use sudo focuses the mind. You’re entering the same dangerous waters, but you’re making a conscious choice to do so, and hopefully you’re treading very carefully. You only invoke your superuser status when you need to do something that requires it.

When you give other users root access, you want to be sure that they care about them as much as you do. You don’t want them to recklessly or speculatively follow orders. The health and well-being of your Linux installation depends on privileged users behaving in a respectful and responsible manner.

Here are several ways to monitor your root usage.

The auth.log file

Some distributions keep an authentication log in a file called “auth.log”. With the advent and rapid absorption of systemdRemoved the need for the auth.log file. That systemd-journal Daemon consolidates system logs into a then-new binary format and journalctl allows you to examine or query the logs.

If you have an “auth.log” file on your Linux computer, it is probably in the “/var/log/” directory, although on some distributions the filename and path is “/var/log/audit/audit .log. “

You can open the file in less like this. Remember to change the path and filename to match your distribution, and be prepared in case your Linux doesn’t even create an authentication file.

This command worked on Ubuntu 22.04.

less /var/log/auth.log

The log file will open and you can browse through the file or use Less’s built-in search function to search for “sudo”.

Even with the search functions of lessit may take some time to find them sudo Entries that interest you.

Suppose we want to see what a user has called mary has used sudo to the. We can search the log file with grep for lines with “sudo” in them, and then pipe the output through grep again and look for lines with “mary” in them.

Notice that sudo before grep and before the log file name.

sudo grep sudo /var/log/auth.log | grep "mary"

This gives us lines containing “sudo” and “mary”.

We can see that the user mary was given sudo privileges at 15:25, and at 15:27 she opens the fstab file in an editor. That’s the kind of activity that definitely warrants a deeper dive, starting with a chat with the user.

Using journalctl

The preferred method on systmd-based Linux distributions journalctl Command to check the system logs.

Let’s pass the name of a program journalctl It searches the log files for entries that contain references to this program. There sudo is a binary located at /usr/bin/sudo that we can pass it to journactl. That -e (pager end) option says journalctl to open the default file pager. Normally this will be the case less. The display will automatically scroll down to show the most recent entries.

sudo journalctl -e /usr/bin/sudo

The log entries of this function sudo are listed in less.

Use the right arrow key to scroll right to view the command used in each of the invocations of sudo. (Or stretch your terminal window so it’s wider.)

And because the output is displayed in lessyou can search for text such as command names, usernames, and timestamps.

TIED TOGETHER: How to use journalctl to read Linux system logs

Using the GNOME Log Utility

Graphical desktop environments usually include a way to inspect logs. We’ll look at the GNOME logs utility. To access the log utility, press the “super” key to the left of the “space bar”.

Type “logs” in the search box. The Logs icon appears.

Click the icon to launch the Logs application.

Clicking on the categories in the sidebar filters the log messages by message type. To make a more specific selection, click the All category in the sidebar, then click the magnifying glass icon in the toolbar. Enter a search text. We will search for “sudo”.

The list of events is filtered to show only the events related to the sudo Command. A small gray block at the end of each line contains the number of entries in that event session. Click on a row to expand it.

We clicked on the top row to see the details of the 24 entries in that session.

With a little scrolling, we can see the same events that we saw when using journalctl Command. user mary‘s inexplicable editing session on the fstab File is found quickly. We could have searched for “mary”, but that would include entries other than her use of sudo.

Not everyone needs root access

Where there is a real, reasonable demand, there is giving sudo Privileges for other users can be useful. Likewise, it only makes sense to review their use – or abuse – of these powers, especially shortly after they have been given them.