How to Apply Audit rules in Linux to check what commands executed by root

How to Apply Audit rules in Linux to check what commands executed by root?

Solution:

1. Edit the file : /etc/audit/audit.rules
2. For 32 bit system: -a entry,always -F arch=b32 -F uid=0 -S execve
3. For 64 bit systems: -a entry,always -F arch=b64 -F uid=0 -S execve
TIP: entry is deprecated in RHEL6. use exit instead of entry
4. For tracking these commands make following Entry: (you can choose your own)

-w /sbin/reboot
-w /sbin/shutdown
-w /sbin/init

5. To apply rules:

chkconfig auditd on
service auditd restart

6. To search Logs:

ausearch -if /var/log/audit/audit.log -i | less