To enable audit logging on linux to record commands.
Add the below to the /etc/pam.d/system-auth
session required pam_tty_audit.so enable=*
Once done run the below command to view the output
ausearch -ts today -m tty -i
To filter the output further add the below.
ausearch -ts today -m tty -i |grep id=user | cut -d '=' -f3,5,6,10
Advertisements