Logging user or group commands like sudo on Linux

From UVOO Tech Wiki
Jump to navigation Jump to search

Bash Profile

/.bashrc 

if [ -n "${BASH_VERSION}" ]; then
    trap "caller >/dev/null || \
printf '%s\\n' \"\$(date '+%Y-%m-%dT%H:%M:%S%z')\
 \$(tty) \${BASH_COMMAND}\" 2>/dev/null >>~/.command_log" DEBUG
fi

cat ~/.command_log

Sudo

/etc/sudoers.d/log 

root         ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL
%admingroup         ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL

/var/log/sudo-io/

auditd

This will give you a lot of logs info so it might be extreme. 

apt-get install auditd

/etc/audit/audit.rules 

-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve

reboot

Retrieved from "https://tech.uvoo.io/index.php?title=Logging_user_or_group_commands_like_sudo_on_Linux&oldid=1719"