Home / server / Questions / 336217
Accepted
Supratik
Asked: 2011-12-01 06:01:06 +0800 CST

How do I log every command executed by a user?

  • 772

I want to monitor all user's activity in my server.

Even when the user executes a shell command from some editor like vim I want to see them in the log file.

I have checked the tool acct but it is not listing the complete commands. (Please correct me if I have missed some options which does already).

Which Linux tool I should be looking at to solve this problem?

linux user-management

5 Answers

  1. Best Answer

    Add this line to your pam config responsible for logins (its system-auth on redhat based distros)

    session    required     pam_tty_audit.so enable=*

    To find out what was done, you can use.

    ausearch -ts <some_timestamp> -m tty -i

    This produces an output like this:

     type=TTY msg=audit(11/30/2011 15:38:39.178:12763684) : tty pid=32377 uid=root
 auid=matthew major=136 minor=2 comm=bash data=<up>,<ret>

    The only downside to this is is can be a little bit difficult to read, but it is much better than most proposed solutions since in theory it could be used to record an entire session, warts n all.

    Edit: Oh and you can use aureport to generate a list that can be more helpful.

    # aureport --tty
...
12. 11/30/2011 15:50:54 12764042 501 ? 4294967295 bash "d",<^D>
13. 11/30/2011 15:52:30 12764112 501 ? 4294967295 bash "aureport --ty",<ret>
14. 11/30/2011 15:52:31 12764114 501 ? 4294967295 bash <up>,<left>,<left>,"t",<ret>
    • 37

  2. The best solution to your problem would be Linux' built-in audit system. Use man 8 auditd or check this page for more information: http://linux.die.net/man/8/auditd.

    Also, you can check this tutorial - while it is slightly out of the scope of your question, it shows how the audit system works.

    • 9

  3. A lesser known trick, but easily the most awesome is just to use the built-in audit capabilities of sudo. Sudo ships with a sudoreplay command that makes replaying sessions easy. It will even relay vim sessions (as you suggest).

    Here's how to use it in a few easy steps:

    1. Install sudosh on your system; this is a shell wrapper around the sudo command that makes a user sudo themselves (not root) and can be used as a system login shell

    2. Enable sudo logging. Edit /etc/sudoers.d/sudosh: Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output

    3. Add this command to /etc/shells to permit logins using it: /usr/bin/sudosh

      Tip: to prevent users from using other shells to login, remove those other shells from /etc/shells.

    4. Update the user foobar to use the sudosh shell. chsh -s /usr/bin/sudosh foobar

    For more detailed information, see: https://github.com/cloudposse/sudosh/

    • 4

  4. You could use snoopy.

    It is a simple command logging library, and not a proper audit solution (easily circumvented). Disclosure: I am current snoopy maintainer.

    • 3

  5. here's a magic solution : http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

    • yum install psacct (redhat)
    • sudo apt-get install acct

    you ca display statistic about user commands/connection etc..

    List all commands invoked by a given user ...

    Search the accounting logs by command name: $ lastcomm rm $ lastcomm passwd

    and so on, for more informations please visit the above link ..

    • 1