.. and sudo has a log file so you can audit what users are doing...
Security is based on three types of controls... logical (technical), administrative (rules and policies) and physical controls; and it a combination of these three facets of security that create a security policy.
Example:
- Policy that employees can only do "this" and "that" or else may risk being fired from job. (administrative control)
- sudo configuration that restrict access and log actions (logical, technical controls)
- Log sudo actions to read only media that is located in a locked area (logical + physical controls).
Normally, it is not cost effective nor prudent to only rely on logical controls.
It's kind of like (well, almost exactly like) your car. Your car can (maybe) drive up to speeds of 200 miles per hour, but the law says you can only drive 60 miles per hour (example). So, the control is administrative (not logical) and there are some physical controls as well; for example if you try to go around a curve at 200 miles per hour, you will fly off the road.
Computer security is based on three controls... logical, physical and administrative and there can be myriad combinations of these three control areas based on the risk profile to create an effective security policy.
In this thread, we have only discussed a few logical controls, we have not discussed administrative or physical controls and we have not examined the risk profile (vulnerability, threat, and criticality); these areas need to be examined before keying in on the right combination of controls.