Hi All,
Please let me how to enable user specific audit in Linux server.
Say i have specific user namely admin1,admin2,admin3 apart from the normal users, user1,2,3.....userN.
How to enable audit for users admin1,admin2 and admin3 alone.
Also please let me know, if this would have any overload on the server.
Is the overload negligible.
Thanks a lot,
Pradeep.
Strong suggestion - use sudo and /etc/sudoers. Lock any direct login access.
For solaris folks reading this: use /etc/user_attr and the associated tools.
This provides you with a lot more control: you set up who can get into admin1, and lets you log everything, for example with script. If the user exits from the script process, the session ends. You can also control what those user accounts can and cannot do.
script usage in .profile :
echo "`date1 admin1 logged in $$ "> /secure/log/file
script -a /secure/log/file
exit
This is not perfect, but is a decent start without invoking a whole lot of accounting.
There are also good keyloggers out there, but if you have someone trying to dodge security, by getting around key-logging or script, then you are crazy to have given them sudo access to admin in the first place.
I fear its not addressing my question! 
Hi,
I need to audit which user (with ip) has logged in and what files have he edited/deleted. This is available as a part of unix, but it enables the logs for all users, which i need to edit for only certain users.
Thanks,
Pradeep
[LEFT]There are a few commercial solutions that provide this functionality. One of them is ObserveIT for unix it provides auditing both at the resource level such as files etc.. as well as at the keylogging level such as SSH and telnet. With ObserveIT you can also set auditing rules per user, server, and command.
[/LEFT]