[RFC] Auditing user command execution

Hi, I received a requirement from one of my customer to audit what the users do after sudo. To be sure that only user sessions are audited I'm using the pam_script module to insert and remove a rule when the users logins and logouts, respectively. I'm doing this because if you have a persistent rule and you restart a daemon, the audit system will report the daemon actions, even if the user logouts. I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in /etc/pam.d/{login,ssh}. The command line that I'm using to add/remove the rule to audit execs is: /sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID Let me know if anybody has a better way to do this. Regards, Diego -- Diego Woitasen