quick-docs/modules/ROOT/pages/_partials/2delete-con_logging-sudo-commands.adoc

21 lines
1.2 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[id="concept-logging-sudo-commands"]
= Logging sudo commands
Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and the command that was executed.
For additional logging, use the `pam_tty_audit` module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your [filename]`/etc/pam.d/system-auth` file:
[subs=quotes]
----
session required pam_tty_audit.so disable=pattern enable=_PATTERN_
----
Replace `_PATTERN_` with a comma-separated list of users (and globs, if needed).
For example, the following command enables TTY auditing for the root user and disables it for all other users:
----
session required pam_tty_audit.so disable=* enable=root
----
Using the `pam_tty_audit` PAM module for auditing only records TTY input. As a result, when the audited user logs in, `pam_tty_audit` records the users exact keystrokes and saves them in [filename]`/var/log/audit/audit.log`. For more information, see the *pam_tty_audit(8)* manual page.