When a user uses su command, he is prompted for the root credentials once he provides the same, he is given the root shell and now he is having unlimited power of root. Still, if SELinux is enabled this behavior can be controlled.
Usually, linux system shall be configured in such a way that only certain users shall have access to the su command. To disable command for all make sure there shall be no user in the wheel group on the system. Then go to /etc/pam.d and edit the “su” file uncomment the following line
auth required pam_wheel.so use_uid
To provide permissions to any specific user for executing this command, add them to wheel group now.
The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo , they are prompted for their own password.Then, when they have been authenticated and assuming that the command is permitted, the Administrative command is executed as if they were the root user.
The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a root shell.
- Each successful authentication using sudo is logged to the file /var/log/messages
- Command issues along with sudo are logged to the /var/log/secure file along with the name of the user who triggered the command.
Use visudo utility to edit the sudoers file
visudo -f /etc/sudoers
Additional logging for sudo.
use the pam_tty_aud it module to enable TTY auditing for specified users by adding the following line to your /etc/pam. d /system-auth file. Following configuration will enable TTY auditing for the root user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Note:- Configuring the pam_tty_aud it PAM module for TTY auditing records only TTY input. This means that, when the audited user logs in, pam_tty_aud it records the exact keystrokes the user makes into the /var/log /audit/audit.log file.