How do I enable auditing where I can track a user ID to all specific commands they are running?
If you want to put a trace on a user, you can do this – though be careful doing this trace attribute on all users because this will add MAJOR overhead. Here is my example:
1st terminal as root:
AC> eu gomer audit(trace)
2nd terminal as gomer:
-sh-4.2$ touch /tmp/myfile
-sh-4.2$ cd /
-sh-4.2$ vi /etc/hosts
1st terminal as root again:
AC> !seaudit -tr -st now-5 | grep -i gomer
You will see all activity running under the user gomer under trace audit mode.
You can also do an audit on only the PROGRAM records as long as your user records have a trace audit mode enabled:
AC> seaudit -trr PROGRAM