-->
  • Recent Articles

    How to enable command line audit logging in linux

     This article will show the procedure to log all commands into the shell in a linux environment to log file. This can be useful for auditing user actions or for security audits.

    Solution

    1. Login to the linux box and assume root 

      #sudo su - 
    2. Edit /etc/profile and add the following lines to the bottom of the file: 

      # command line audit logging
      function log2syslog
      {
         declare COMMAND
         COMMAND=$(fc -ln -0)
         logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
      }
      trap log2syslog DEBUG
    3. Save and exit /etc/profile
    4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file: 

      # command line audit logging
      local1.* -/var/log/auditlogging
    5. Save and exit /etc/rsyslog.conf 
    6. Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes 

      #systemctl restart rsyslog
    7. The audit logging will be visible under /var/log/auditlogging and will look like this: 


    [root@nagiosclient ~]# tailf /var/log/auditlogging
    Nov 18 19:34:39 nagiosclient bash[17191]: root:
    Nov 18 19:34:39 nagiosclient bash[17193]: root:
    Nov 18 19:34:39 nagiosclient bash[17195]: root:
    Nov 18 19:34:39 nagiosclient bash[17197]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:34:52 nagiosclient bash[17277]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:34:52 nagiosclient bash[17281]: root:#011 ./Admin_Server_Status.sh
    Nov 18 19:50:00 nagiosclient bash[22779]: root:#011 ll /etc
    Nov 18 19:50:00 nagiosclient bash[22782]: root:#011 ll /etc
    Nov 18 19:50:08 nagiosclient bash[22832]: root:#011 ls
    Nov 18 19:50:08 nagiosclient bash[22835]: root:#011 ls
    Nov 18 19:50:26 nagiosclient bash[22946]: root:#011 cat Admin_Server_Status.sh
    Nov 18 19:50:26 nagiosclient bash[22949]: root:#011 cat Admin_Server_Status.sh
    Nov 18 19:50:28 nagiosclient bash[22969]: root:#011 who
    Nov 18 19:50:28 nagiosclient bash[22972]: root:#011 who
    Nov 18 19:50:31 nagiosclient bash[22986]: root:#011 w
    cmdline audit logs
    cmdline audit logs





    No comments