How do I log all UNIX shell commands submitted by all users?
Solution 1:
Since the dawn of time (actually dating back from the time when people had to actually pay real money per computer cycle they used) Unix and it's clones has had a system called Process Accounting (acct
) built in. This allowed the system administrators to know exactly what their users were doing and so could bill them accordingly.
The acct
facilities still exist in most Unix and Linux systems to this day.
This site: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html tells you how to enable it.
Solution 2:
Here is a very nice and quick way to log all shell commands:
Step 1:
Use your favourite text editor to open /etc/bashrc and append the following line at the end:
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
Step 2:
Set the syslogger to trap local6 to a log file by adding this line in the /etc/syslog.conf file:
local6.* /var/log/cmdlog.log
[See the Complete Blog Post Here]
Solution 3:
You could use snoopy.
It is very simple to install and to remove (no kernel module or patching required). Note that this is not a proper auditing solution and it can easily be circumvented.
Disclosure: I am current snoopy maintainer.