1
I want to audit all commands on Linux servers. We all have our own login accounts to do things but sometimes we need root access. That's no problem. But when logging in with my user my actions aren't logged. Any user I login with doesn't seem to be logged.
For example:
[oracle@testvmol ~]$ ls
Desktop Downloads Pictures test Videos
Documents Music Public Templates
[oracle@testvmol ~]$ rm test
[oracle@testvmol ~]$ su -
Password:
[root@testvmol ~]# ausearch -ts today -m tty -i
----
type=TTY msg=audit(04/11/2019 14:08:45.744:36) : tty pid=3574 uid=root auid=oracle ses=2 major=136 minor=0 comm=bash data="ausearch -ts today -m tty -i",<ret>
You can see only the actions after the switching are logged. Not even the user switch itself! Everything should be logged right away...
This is the config I used.
vi /etc/pam.d/password-auth
vi /etc/pam.d/system-auth
session required pam_tty_audit.so open_only disable=* enable=root,oracle
Can anyone help me to log ALL actions?