root command monitoring and auditing
I have a request to provide a single solution for logging the root user commands on RHEL (5, 6, 7, 8) so that they will be available for offline analysis or auditing purposes. The following is list of minimal details:
- Login on console or tty (ssh)
- Timestamp for session
- If from ssh then source IP address (FQDN is a nice to have)
- commands executed
- realtime logging
I can create a semi-realtime version of this using the following:
- PAM module pam_tty_audit.so
- aureport
- some scripting in /etc/profile.d and /etc/bash.bash_logout to a NFS mount
- background process
- And then there is sudo logging and sudoreplay ...
Are you familiar with a COTS solution that does for both root and sudo?
