Sungju's Slow Life

Personal journal

How to keep record the commands executed by root

If you want to keep record of the commands executed by root account, you can achieve that by using audit rules.

First, add the below line in /etc/audit/audit.rules

-a entry,always -S execve -F uid=0

And restart auditd to apply the changes

$ chkconfig auditd on
$ service auditd restart

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: