-->

    • Recent Articles

    How to enable command line audit logging in linux

    Thursday, November 18, 2021 2

     This article will show the procedure to log all commands into the shell in a linux environment to log file. This can be useful for auditing user actions or for security audits.

    Solution

    1. Login to the linux box and assume root 

      #sudo su -

    2. Edit /etc/profile and add the following lines to the bottom of the file: 

      # command line audit logging
function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG
    3. Save and exit /etc/profile

    4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file: 

      # command line audit logging
local1.* -/var/log/auditlogging
    5. Save and exit /etc/rsyslog.conf 

    6. Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes 

      #systemctl restart rsyslog

    7. The audit logging will be visible under /var/log/auditlogging and will look like this: 


    [root@nagiosclient ~]# tailf /var/log/auditlogging
    Nov 18 19:34:39 nagiosclient bash[17191]: root:
    Nov 18 19:34:39 nagiosclient bash[17193]: root:
    Nov 18 19:34:39 nagiosclient bash[17195]: root:
    Nov 18 19:34:39 nagiosclient bash[17197]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:34:52 nagiosclient bash[17277]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:34:52 nagiosclient bash[17281]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:50:00 nagiosclient bash[22779]: root:#011 ll /etc
    Nov 18 19:50:00 nagiosclient bash[22782]: root:#011 ll /etc
    Nov 18 19:50:08 nagiosclient bash[22832]: root:#011 ls
    Nov 18 19:50:08 nagiosclient bash[22835]: root:#011 ls
    Nov 18 19:50:26 nagiosclient bash[22946]: root:#011 cat Admin_Server_Status.sh
    Nov 18 19:50:26 nagiosclient bash[22949]: root:#011 cat Admin_Server_Status.sh
    Nov 18 19:50:28 nagiosclient bash[22969]: root:#011 who
    Nov 18 19:50:28 nagiosclient bash[22972]: root:#011 who
    Nov 18 19:50:31 nagiosclient bash[22986]: root:#011 w
    cmdline audit logs
    cmdline audit logs







    Tags:
    Author Image

    About Manas Ranjan Tripathy

    2 comments:

    1. UnknownDecember 21, 2021 at 6:32 PM

      Nicely explained with step by step commands. Thanks for the blog.

      ReplyDelete
    2. UnknownDecember 21, 2021 at 6:33 PM

      Well explained with step by step commands. Thank You Manas

      ReplyDelete

    Subscribe to: Post Comments ( Atom )