How to enable and view user audit logs in Linux
How can I enable and view user audit logs (i.e., who logs in, info about su to root, what commands were executed by root and history log files)? I've done this in Unix, but my company wants to switch to Linux, and our small team of Unix admins is "playing" with Linux on some boxes. In particular, I'm playing catch-up in learning about that OS. We all su to root -- however, someone blew something away, and we need to find out what happened.
This may be a problem that may be unsolvable for your given situation but preventable in the future. The su command allows users to take actions as if they where the root user. This is very useful and very dangerous. The danger is that unless the root user is being logged via sulog, there may be no record of su activity. The location of the su log is kept in /etc/default/su if sulog is running. If there is a log you can look there and then analyze what might have been "blown away." One other solution for your current problem if you are using a bash shell (which is very likely) you could look in the /root directory for the .bash_history which would show the last x number of commands committed in that shell. You could then do some detective work to see what course of events may have caused your problems.
However, I would not recommend using the su command frequently. I would recommend you use the sudo command, which lets you temporarily execute commands as the superuser. This is a much better practice because the sudo command can limit activity by user and timestamp actions back to the user who committed the act. The timestamp is logged by userid so there is a better accounting of who is executing commands which leaves a distinct audit trail. For example, by executing the command sudo rm /home/olduser you would have a log of what user removed the directory /home/olduser. Also, you can limit what superusers can do in the /etc/sudoers file so that users who are unsure of what they are doing can't do critical damage. It's a good practice any time but especially as your admins come up to speed.
This was first published in December 2004