Tips for UNIX Auditing and Linux Auditing
A variety of methods exist for auditing user activity in UNIX and Linux environments. Some of them come preinstalled within common distributions, some can be downloaded as freeware, and some are commercially available products. These include:
As with most matters in UNIX and Linux, there are many ways to audit user activity. When choosing a desired method, it is important to weigh the various benefits that each method provides. For a simple view into highly-managed processes, script and screen can be extended to expose user actions. For issues specifically related to privileged use, sudo can be hacked to capture audit data. For configuration monitoring, the native auditd facility can capture clear file and system changes.
ObserveIT provides a more holistic audit that generates logs for any user (root, sudo, named user) which include interactive I/O plus underlying system internals. This more complete picture is applicable for highly-regulated audit requirements where massive log data alone is insufficient. (ex: PCI security regulations, HIPAA, internal security regulations for highly-sensitive data applications, etc.)