Logging user or group commands like sudo on Linux
Jump to navigation
Jump to search
Bash Profile
/.bashrc
if [ -n "${BASH_VERSION}" ]; then
trap "caller >/dev/null || \
printf '%s\\n' \"\$(date '+%Y-%m-%dT%H:%M:%S%z')\
\$(tty) \${BASH_COMMAND}\" 2>/dev/null >>~/.command_log" DEBUG
fi
cat ~/.command_log
Sudo
/etc/sudoers.d/log
root ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL %admingroup ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL
/var/log/sudo-io/
auditd
This will give you a lot of logs info so it might be extreme.
apt-get install auditd
/etc/audit/audit.rules
-a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve
reboot