Enable Audit logging on linux


To enable audit logging on linux to record commands.

Add the below to the /etc/pam.d/system-auth

session required pam_tty_audit.so enable=*

Once done run the below command to view the output

ausearch -ts today -m tty -i

To filter the output further add the below.

ausearch -ts today -m tty -i |grep id=user | cut -d '=' -f3,5,6,10
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s