How to audit if someone run a specific EXE (/bin/date) with connected IP
We can configure & logged if a user runs any/specific command (like /bin/date). How can we also logged the connected IP also with who ran the specific command(/bin/date).
Responses
Hello,
Use the folowing procedure to log a users commands :
-1- Add this line in /etc/rsyslog.conf
- local6.debug /var/log/login
-2- Put this line in the end of /etc/bashrc
- export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]"'
3- To monitor the users commands
- # tail -f /var/log/login
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
