With sudo every command run through sudo gets written out to the log, so you as administrator can determine if the host is compromised or not by extracting that info from the logs.
This assumes that you forsee the set of binaries you want used via sudo and limit them such that you are 100% sure that none can be used to escalate your privileges further and then subvert the audit logs; e.g. you give someone sudo access to vi -- of course useful to edit config files -- but they can then use '!' to run aribtrary shell commands (actually, I don't think ESXi vi does let you do that, but you get the point).
A restricted environment is not the idea of our trobleshooting shell -- it is, by design, full and complete access to the system for unforseen circumstances.
What you are saying is that basically one should destroy every host that has been accessed via the root account... as it is now no longer trusted...
I would not go that far; we have login and shell audit logs (/var/log/shell.log, /var/log/auth.log) that help establish what has gone on. If you are sending logs across the network to a secure host, you at the very least have the login and the first thing that was run that can not be subverted. You would have to evaluate what has been run from that point to see if you trust the logs.
Sure there are valid reasons for accessing the console and NO the APIs do not always solve that, take the simple example that you miss network connectivity.
The managment interface should be recoverable via the DCUI interface; which is a secure subset of configuration options (you can not run arbitrary things from it). Again, we're always looking to make things better, so suggets for what doesn't work here are always appreciated.
I also wonder how you can see "who has logged in" if it is going to be root anyways? Direct console access? What will it log? Every user logging in remotely will be lifted to root levels? Automatic sudo? Ewww...
Users authenticate as usual, a record of which gets sent to the audit logs. Once authenticated, all shell users are considered as uid 0. The logs in /var/log/shell.log retain the username of the person executing them.