본문 바로가기
서버구축 (WEB,DB)

Syslog: log all bash history from every user

by 날으는물고기 2014. 12. 15.

Syslog: log all bash history from every user

  

There are sometimes I wish I had kept all of my history actions within the last 3 days, or I wish I could supervise what an other user have done to a system, I tried to find a way to log all ssh sessions to the server, logging them to syslog and keeping any action performed by every user! This is good for auditing some systems.

I thought that a good idea is to pass to system wide bashrc a prompt command like:

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'

 

In debian you should edit the file: /etc/bash.bashrc and in centos the file: /etc/bashrc

If you want to start logging for the session you are in, you have to source the file you have edited, for example execute:

source /etc/bash.bashrc

 

in a debian system or

source /etc/bashrc

in a centos system.

From now on, every command, of every ssh session will be logged at/var/log/syslog on a debian system, and at /var/log/messages on a centos system.

In case you want to log them on a separate file and not mess up with other log files you can use:

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")'

instead of the previous PROMPT_COMMAND example and then configure the rsyslogd as needed.

For example at a Debian System edit the **/etc/rsyslog.conf** file:
change the line :

*.*;auth,authpriv.none           -/var/log/syslog

to

*.*;auth,authpriv.none,local6           -/var/log/syslog

and add the following line to the end of the file:

local6.info                     /var/log/history.log

 

then execute:

touch /var/log/history.log && /etc/init.d/rsyslog restart

 

This article is from my own answer to unix.stackexchange.com:

http://unix.stackexchange.com/questions/139874/local-timestamped-logging-of-all-ssh-commands/145297#145297

My answer was downvoted by the owner of the question as out of topic, but I think is just a good practice when you want to audit a system, to log ssh sessions to the server or even better to a log server. So I publiced my own answer to my own blog.



출처 : webplay.pro

728x90

댓글