I'm looking for a way to track commands that are run as root after a user runs sudo su - root. I have a profile set up for root that will track the commands by userid but if we change the shell it only stores it in that shells history file.
I used the search function of the forum looking for "track commands" and selecting the AIX forum as target:
sudo log and sudo auditing
Tracking Root commands
AIX audit users activity
User Auditing
1 Like
Compile and install rootsh (that's what I did) and now all activity on command line is logged to syslog (and from there to Splunk), per session, per user, all inputs (and if opted for at compile time, all outputs too).
There's also a tool called sudosh that may be of use to you (creates logs for auditing later).
Some issues with buffer and control characters core dumping your shell, but by and large it does the job of "unescapable command line auditing", where sudo only does the job of "unescapable command execution".
Rootsh is on sourceforge, I had more success with an older version, think the latest version wasn;t happy on AIX 5.3 (I did this ages ago....)