I want to audit all commands on Linux servers. We all have our own login accounts to do things but sometimes we need root access. That's no problem. But when logging in with my user my actions aren't logged. Any user I login with doesn't seem to be logged.

For example:

[oracle@testvmol ~]$ ls
Desktop    Downloads  Pictures  test       Videos
Documents  Music      Public    Templates
[oracle@testvmol ~]$ rm test
[oracle@testvmol ~]$ su -
Password: 
[root@testvmol ~]# ausearch -ts today -m tty -i
----
type=TTY msg=audit(04/11/2019 14:08:45.744:36) : tty pid=3574 uid=root auid=oracle ses=2 major=136 minor=0 comm=bash data="ausearch -ts today -m tty -i",<ret>

You can see only the actions after the switching are logged. Not even the user switch itself! Everything should be logged right away...

This is the config I used.

vi /etc/pam.d/password-auth
vi /etc/pam.d/system-auth
    session required pam_tty_audit.so open_only disable=* enable=root,oracle

Can anyone help me to log ALL actions?