Bash history is editable so effectively useless for auditing. On top of that, by default, even if they don't unset the histfile or use one of the many other ways to clear the entries, only the last exited session actually writes to the histfile. It also doesn't catch what happens if a user opens a shell through another method (ie sudo vim then open a shell). pam auditing will catch all of that as long as audit.log is being shipped off the server. Sent from my iPhone On Sep 22, 2010, at 11:00 AM, "Elliott, Andrew" <Andrew.Elliott@xxxxxxxx> wrote: > ...Should be in the .history (bash) file, no? > > You should try to get them to use 'sudo'. That will capture all the commands in the users' .bash_history rather than root's... > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Marti, Robert > Sent: Wednesday, September 22, 2010 11:41 AM > To: przemolicc@xxxxxxxxx; General Red HatLinuxdiscussion list > Subject: Re: Command logging after 'su' > > pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box. > > Sent from my iPhone > > On Sep 22, 2010, at 10:36 AM, "przemolicc@xxxxxxxxx" <przemolicc@xxxxxxxxx> wrote: > >> Hi, >> >> we have user 'u1' which can do 'su - root'. >> Is it possible to log all commands run by this user: >> - during id=u1 >> - after su to 'root' ? >> >> Regards >> P. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------ >> Tanie mieszkania lub pokoje do wynajÃÂcia dla studentÄÅw! >> http://linkint.pl/f27f9 >> >> -- >> redhat-list mailing list >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >> https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
