Security: log user's actions

Log sudo actions

/etc/sudoers:
Defaults iolog_dir=/var/log/sudo-io/%{user}
%admins ALL=(ALL): LOG_INPUT: LOG_OUTPUT: ALL

gpasswd -a user admins # add user to group admins

all sudo actions of user in group admins will be wrote to /var/log/sudo-io/

Log all events with auditd

apt-get install auditd
add in the end of /etc/audit/audit.rules:
-a exit,always -F arch=b64 -F euid=0 -S execve
— a exit,always -F arch=b32 -F euid=0 -S execve

add to /etc/default/grub
audit=1 to the kernel's cmdline

Place «session required pam_loginuid.so» to the /etc/pam.d/{login,kdm,sshd}

update-grub
reboot

How to make search by events in auditd's log

ausearch -ua 1000, where 1000 is users id.