John> What is the best way to provide proof to an audit person who John> needs to know all the root/sudo users for a RHEL 6 server? It depends on what they take as "proof" of your audit process. Our current auditors want screen shots of files with a clock in the corner, which makes *zero* sense, so we're working to educate them and to put a better system in place. It might be that tripwire is the possible solution, started off first in a very targeted way. John> (I am new at this company, and don't have access to all their resources) John> We can provide the /etc/passwd & /etc/sudoers file (the John> auditor may not know how to read these files) The probably don't *care* what the files say, but more "what is your process to monitor and keep track of changes?". And of course management of adding and removing acounts. John> We also have the RedHat Identity Management running here, but John> I am not familiar with this tool. Never used it. Auditing is documenting a process and having controls and being able to show you use them and of course can justify them. John