How to log all Bash commands by all users on a server
Скрытое логгирование действий всех пользователей
Our small company runs an Ubuntu Server 11.10, to which a couple of people have SSH access. The actual terminals are sometimes used, too. How can we locally log all Bash commands run, along with user and time stamp
We can assume that no-one is nefarious and actively trying to avoid the logging, but we’d still prefer the users not to have direct write-access to their log files. Simultaneous sessions must be handled correctly.
For BASH shells, edit the system-wide BASH runtime config file:
sudo -e /etc/bash.bashrc
Append to the end of that file:
export PROMPT_COMMAND='RETRN_VAL=$;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
Set up logging for “local6” with a new file:
sudo -e /etc/rsyslog.d/bash.conf
And the contents…
sudo service rsyslog restart
Log out. Log in. Voila!
But I forgot about log rotation:
sudo -e /etc/logrotate.d/rsyslog
There is a list of log files to rotate the same way…
/var/log/mail.warn /var/log/mail.err [...] /var/log/message
So add the new bash-commands log file in that list: