This is a question I've pondered for a long time and thought was impossible.
Is it possible to prevent administrators of a machine from bypassing the audit capabilities of sudo or doas? For instance, running sudo su - and having a root shell?
I suppose the real question is, is there a way to audit root's activity on a machine?
Is it possible to prevent administrators of a machine from bypassing the audit capabilities of sudo or doas?
By definition, administrators of a machine have full access to everything within the machine, so they'll also be able to stop the audit process, tamper with the audit logfiles, etc.
If you need to monitor/audit someone, don't give them root access; rather, add the user to the sudoers file, allowing them the minimum set of commands necessary to accomplish their duties.
We can put a plug on the root:
sudo chsh root And put the plug: /sbin/nologin or /bin/false Necessarily with sudo.
Warning: Otherwise then we will not be able to change the settings back.
Or on my Fedora system, there is a directory for scripts that starts at login time: /etc/profile.d. Let's create a script custom.
Arrange ID verification:
if [ $UID -eq 0 ]; then exit fi ls -l /etc/profile.d/custom -rw-r--r-- 1 root root ... You can also delete this file with sudo and execute other commands with sudo, but you will not be able to start the shell:
sudo rm /etc/profile.d/custom 
sudo /bin/bash
sudogroup. If you have a real problem, please tell us. Otherwise the answer will only be don't give administrative rights to users that should not have administrative rights. Please also check: What is the XY Problem?