How Can I Track All Commands Ran From a User

Document ID : KB000094761
Last Modified Date : 04/05/2018
Show Technical Document Details
Question:
How do I enable auditing where I can track a user ID to all specific commands they are running?
Answer:
If you want to put a trace on a user, you can do this – though be careful doing this trace attribute on all users because this will add MAJOR overhead. Here is my example: 

1st terminal as root: 
AC> eu gomer audit(trace) 

2nd terminal as gomer: 
-sh-4.2$ touch /tmp/myfile 
-sh-4.2$ ls 
-sh-4.2$ pwd 
/home/gomer 
-sh-4.2$ cd / 
-sh-4.2$ vi /etc/hosts 

1st terminal as root again: 
AC> !seaudit -tr -st now-5 | grep -i gomer 

You will see all activity running under the user gomer under trace audit mode. 

You can also do an audit on only the PROGRAM records as long as your user records have a trace audit mode enabled: 
AC> seaudit -trr PROGRAM