Sudo In AIX, how to find out what commands have been run after a user sudo to another user? for example, user sam run 'sudo -u robert ksh' then run some commands, how can I (as root) find what commands have been run?
sudo.log only contains sudo event, no activity logging.
Check the corresponding history file of the user ?
it depends on your sudoers configuration but the default is syslog. you may have to add a line to /etc/syslog.conf and refresh syslogd. check the sudo documentation for details.
It would be better if you just didn't allow a user to use the "su" command with sudo. You could add something like this into your /etc/sudoers file to keep them from running the "su" command.
User_Alias usergroup = user1,user2
Cmnd_Alias userlist = /usr/bin/vi,/usr/bin/mv,/usr/bin/cp,/usr/bin/chmod,/usr/bin/chown,/usr/bin/tar
usergroup ALL = userlist, !/usr/bin/vi /etc/sudoers
Also, it would be good if you prevented them from using "sudo" to vi the /etc/sudoers file so they can't change your new "better secured" configuration (also in the configuration above). That would be funny if you didn't set it up and they did change your /etc/sudoers file.... anyway, this configuration would allow you to track all their commands via the sudo log.