Log Root Commands in RHEL7

Root user is the most important user in any of the Linux distribution. Root user has got full rights on the machine. The root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user, and the superuser. Its very important to log root commands if your server is under delegation and its important for audit and security purpose also.

You already know that root privileges are the powers that the root account has on the system. The root account is the most privileged on the system and has absolute power over it (i.e., complete access to all files and commands). Among root’s powers are the ability to modify the system in any way desired and to grant and revoke access permissions (i.e., the ability to read, modify and execute specific files and directories) for other users, including any of those that are by default reserved for root. So lets understand how to log root commands executed in Red Hat Enterprise Linux 7.

As a word of precaution

When using this account it is crucial to be as careful as possible. The “root” account has no security restrictions imposed upon it. This means it is easy to perform administrative duties without hassle. However, the system assumes you know what you are doing, and will do exactly what you request — no questions asked. Therefore it is easy, with a mistyped command, to wipe out crucial system files.

When you are signed in as, or acting as “root”, the shell prompt displays ‘#’ as the last character (if you are using bash). This is to serve as a warning to you of the absolute power of this account.

The rule of thumb is, never sign in as “root” unless absolutely necessary. While “root”, type commands carefully and double-check them before pressing return. Sign off from the “root” account as soon as you have accomplished the task you signed on for. Finally, (as with any account but especially important with this one), keep the password secure!

Lets configure our RHEL7 server to log root commands.

Step #1 – Edit your PAM files to record root commands. Append these lines in “system-auth-ac” and “password-auth-ac” under /etc/pam.d/ directory.


log root commands


Step #2 – Now as root try executing some commands. I am trying to create a user here and intentionally doing some spelling errors. 


log root commands


Step #3 – Now if everything is working fine. You should be able to know which commands were executed by user root.


log root commands