How to enable command line audit logging in linux
This article will show the procedure to log all commands into the shell in a linux environment to log file. This can be useful for auditing user actions or for security audits.
Solution
Login to the linux box and assume root
#sudo su -Edit /etc/profile and add the following lines to the bottom of the file:
# command line audit logging function log2syslog { declare COMMAND COMMAND=$(fc -ln -0) logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}" } trap log2syslog DEBUG- Save and exit /etc/profile
Edit /etc/rsyslog.conf and add the following lines to the bottom of the file:
# command line audit logging local1.* -/var/log/auditlogging- Save and exit /etc/rsyslog.conf
Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes
#systemctl restart rsyslogThe audit logging will be visible under /var/log/auditlogging and will look like this:
[root@nagiosclient ~]# tailf /var/log/auditlogging
Nov 18 19:34:39 nagiosclient bash[17191]: root:
Nov 18 19:34:39 nagiosclient bash[17193]: root:
Nov 18 19:34:39 nagiosclient bash[17195]: root:
Nov 18 19:34:39 nagiosclient bash[17197]: root:#011 ./Admin_Server_Status.sh
Nov 18 19:34:52 nagiosclient bash[17277]: root:#011 ./Admin_Server_Status.sh
Nov 18 19:34:52 nagiosclient bash[17281]: root:#011 ./Admin_Server_Status.sh
Nov 18 19:50:00 nagiosclient bash[22779]: root:#011 ll /etc
Nov 18 19:50:00 nagiosclient bash[22782]: root:#011 ll /etc
Nov 18 19:50:08 nagiosclient bash[22832]: root:#011 ls
Nov 18 19:50:08 nagiosclient bash[22835]: root:#011 ls
Nov 18 19:50:26 nagiosclient bash[22946]: root:#011 cat Admin_Server_Status.sh
Nov 18 19:50:26 nagiosclient bash[22949]: root:#011 cat Admin_Server_Status.sh
Nov 18 19:50:28 nagiosclient bash[22969]: root:#011 who
Nov 18 19:50:28 nagiosclient bash[22972]: root:#011 who
Nov 18 19:50:31 nagiosclient bash[22986]: root:#011 w
 |
| cmdline audit logs |
About Manas Ranjan Tripathy
No comments