quick-docs/en-US/modules/con_logging-sudo-commands.adoc

[id="concept-logging-sudo-commands"]
= Logging sudo commands

Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and the command that was executed.

For additional logging, use the `pam_tty_audit` module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your [filename]`/etc/pam.d/system-auth` file:

[subs=quotes]
----
session required pam_tty_audit.so disable=pattern enable=_PATTERN_
----

Replace `_PATTERN_` with a comma-separated list of users (and globs, if needed).

For example, the following command enables TTY auditing for the root user and disables it for all other users:

----
session required pam_tty_audit.so disable=* enable=root
----

Using the `pam_tty_audit` PAM module for auditing only records TTY input. As a result, when the audited user logs in, `pam_tty_audit` records the user’s exact keystrokes and saves them in [filename]`/var/log/audit/audit.log`. For more information, see the *pam_tty_audit(8)* manual page.
-												Add new file
											
										
										
											2017-12-14 04:33:13 +00:00
+								[id="concept-logging-sudo-commands"]
 								= Logging sudo commands
-												Fixed the 'sudo' topic.

											
										
										
											2018-01-03 16:15:39 +00:00
+								Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and the command that was executed.
-												Add new file
											
										
										
											2017-12-14 04:33:13 +00:00
 								For additional logging, use the `pam_tty_audit` module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your [filename]`/etc/pam.d/system-auth` file:
-												Fixed the 'sudo' topic.

											
										
										
											2018-01-03 16:15:39 +00:00
+								[subs=quotes]
-												Add new file
											
										
										
											2017-12-14 04:33:13 +00:00
+								----
-												Fixed the 'sudo' topic.

											
										
										
											2018-01-03 16:15:39 +00:00
+								session required pam_tty_audit.so disable=pattern enable=_PATTERN_
-												Add new file
											
										
										
											2017-12-14 04:33:13 +00:00
+								----
-												Fixed the 'sudo' topic.

											
										
										
											2018-01-03 16:15:39 +00:00
+								Replace `_PATTERN_` with a comma-separated list of users (and globs, if needed).
-												Add new file
											
										
										
											2017-12-14 04:33:13 +00:00
 								For example, the following command enables TTY auditing for the root user and disables it for all other users:
 								----
 								session required pam_tty_audit.so disable=* enable=root
 								----
 								Using the `pam_tty_audit` PAM module for auditing only records TTY input. As a result, when the audited user logs in, `pam_tty_audit` records the user’s exact keystrokes and saves them in [filename]`/var/log/audit/audit.log`. For more information, see the *pam_tty_audit(8)* manual page.