The thing is, if you give someone sudo privileges, they can become root with:
- sudo -i
- sudo su
- sudo sh
- sudo bash
- sudo
- sudo vi (seriously)
- sudo python
The good thing is, you can limit sudo privileges in a semi-granular fashion. Here's the sudoers man page to elaborate on that a little more. man sudoers
can give you the same information.
Blocking access to su
is a little more trivial. Here's a post on U&L that shows how to do this. Basically, you create a group called "becomeroot" and tell PAM to check if a user is in that group before allowing su. Don't add the admin to this group, and you're golden. However, they'll have the permissions to change this, because they have sudo!
You need to trust your admin, or remove sudo from them. If logging is the main concern, export the .bash_history files and log them externally. Here's another U&L post (man those guys are clever) that describes using auditd
and a syslog server. Once the logs leave the box, your admin is powerless to stop it because they've already been snitched on!