How do I log all UNIX shell commands submitted by all users?

unix shell logging

Solution 1:

Since the dawn of time (actually dating back from the time when people had to actually pay real money per computer cycle they used) Unix and it's clones has had a system called Process Accounting (acct) built in. This allowed the system administrators to know exactly what their users were doing and so could bill them accordingly.

The acct facilities still exist in most Unix and Linux systems to this day.

This site: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html tells you how to enable it.

Solution 2:

Here is a very nice and quick way to log all shell commands:

Step 1:

Use your favourite text editor to open /etc/bashrc and append the following line at the end:

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

Step 2:

Set the syslogger to trap local6 to a log file by adding this line in the /etc/syslog.conf file:

local6.*                /var/log/cmdlog.log

[See the Complete Blog Post Here]

Solution 3:

You could use snoopy.

It is very simple to install and to remove (no kernel module or patching required). Note that this is not a proper auditing solution and it can easily be circumvented.

Disclosure: I am current snoopy maintainer.

Related

Mac OSX change file association per file on the command line
How can I see a timestamp for when a command was executed using history?
Can't synchronize time, Windows 7
Where do mounted volumes and thumb drives show up in OSX Lion?
Danger/Risk of Plugging USB Devices into Powered USB Ports
How can I see if users are logged in over sftp?
Windows 7 - How to stop full path being displayed in Explorer taskbar?
Why are some "Use TLS" and "Use SSL" options turned off?
Completely cutting silence out of an audio file
Restrict SSH to one interface
Resize a VM hard-drive (virtualbox)
accessing the mapped network drives using mingw shell