How to enable and view user audit logs in Linux

How to enable and view user audit logs in Linux

How can I enable and view user audit logs (i.e., who logs in, info about su to root, what commands were executed by root and history log files)? I've done this in Unix, but my company wants to switch to Linux, and our small team of Unix admins is "playing" with Linux on some boxes. In particular, I'm playing catch-up in learning about that OS. We all su to root -- however, someone blew something away, and we need to find out what happened.

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you resources covering Linux administration and management; integration and interoperability between Linux, Windows and Unix; securing Linux and mixed-platform environments; and migrating to Linux.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchEnterpriseLinux.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseLinux.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

This may be a problem that may be unsolvable for your given situation but preventable in the future. The su command allows users to take actions as if they where the root user. This is very useful and very dangerous. The danger is that unless the root user is being logged via sulog, there may be no record of su activity. The location of the su log is kept in /etc/default/su if sulog is running. If there is a log you can look there and then analyze what might have been "blown away." One other solution for your current problem if you are using a bash shell (which is very likely) you could look in the /root directory for the .bash_history which would show the last x number of commands committed in that shell. You could then do some detective work to see what course of events may have caused your problems.

However, I would not recommend using the su command frequently. I would recommend you use the sudo command, which lets you temporarily execute commands as the superuser. This is a much better practice because the sudo command can limit activity by user and timestamp actions back to the user who committed the act. The timestamp is logged by userid so there is a better accounting of who is executing commands which leaves a distinct audit trail. For example, by executing the command sudo rm /home/olduser you would have a log of what user removed the directory /home/olduser. Also, you can limit what superusers can do in the /etc/sudoers file so that users who are unsure of what they are doing can't do critical damage. It's a good practice any time but especially as your admins come up to speed.

This was first published in December 2004

Back to top