Jan 13 17:09:05 SERVER1 bash[727]: user1: ls -l
Jan 13 17:09:05 SERVER1 bash[731]: user1: hostname
Jan 13 17:09:05 SERVER1 bash[735]: user5: uname -a
Jan 13 17:09:05 SERVER1 bash[739]: user2: clear
Jan 17 14:51:12 SERVER1 bash[143477]: root:#011
Jan 17 14:51:28 SERVER1 bash[143480]: root:#011
Jan 17 14:51:28 SERVER1 bash[143483]: root:#011
Jan 17 14:51:28 SERVER1 bash[143486]: root:#011
Jan 17 14:51:28 SERVER1 bash[143489]: root:#011
---------- Post updated at 11:36 PM ---------- Previous update was at 11:05 PM ----------
This is the current output that i have..
Jan 17 15:32:34 SERVER1 bash[146147]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146151]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146155]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146159]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146163]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146189]: user1 as root:#011 exit
Jan 17 15:32:37 SERVER1 bash[146193]: user1 as root:#011 exit
Jan 17 15:32:37 SERVER1 bash[146198]: user1 as root:#011 exit
Jan 17 15:32:43 SERVER1 bash[146210]: user1 as root:#011 hostname
Jan 17 15:32:43 SERVER1 bash[146215]: user1 as root:#011 hostname
Jan 17 15:32:49 SERVER1 bash[146422]: user1 as root:#011 uname -a
Jan 17 15:32:49 SERVER1 bash[146426]: user1 as root:#011 uname -a
How about using builtin audit software from your operating system.
Audit configuration can look scary at first, but it's mostly a one time setup per requirement.
Writing custom scripts will only make things difficult in the future.
Not to mention bypassing such scripts could be trivial, beating the audit purpose completely.
So it will throw the output below in /var/log/audit/audit.log? I beleive I have tried this before.
THanks
Jan 13 17:09:05 SERVER1 bash[727]: user1: ls -l
Jan 13 17:09:05 SERVER1 bash[731]: user1: hostname
Jan 13 17:09:05 SERVER1 bash[735]: user5: uname -a
Jan 13 17:09:05 SERVER1 bash[739]: user2: clear
What user are you attempting to audit? If it's root, one cheap way to do audit is to not give them direct root access and let them do everything through sudo. Every time they call sudo that will be logged.
example we have an activity. i just want to do a tail -f /var/log/messages and i can see what is going on.. I have able to achieve it but not 100%.. Tried a lot of ways but to no avail its not that i am expeting of.
Jan 13 17:09:05 SERVER1 bash[727]: user1: vi /etc/httpd/conf.d/httpd.conf
Jan 13 17:09:05 SERVER1 bash[731]: user1: service httpd restart
Jan 13 17:09:05 SERVER1 bash[735]: user5: tail -f /var/log/messages
Jan 13 17:09:05 SERVER1 bash[739]: user2: sudo su -