Last Updated: February 25, 2016
·
5.065K
· Paxa

Save bash history in syslog on CentOS

Bash has feature to write to syslog, that is useful when served accessed by more then one person.

You need to have bash version 4.1+, in my case CentOS 6.4 and CentOS 7 already have it

Open file /etc/bashrc and paste in the end:

PROMPT_COMMAND=$(history -a)
typeset -r PROMPT_COMMAND

function log2syslog
{
   declare command
   command=$BASH_COMMAND
   logger -p local1.notice -t bash -i -- $USER : $PWD : $command

}
trap log2syslog DEBUG

Next time when you login and syslog:

$ sudo tail -10 /var/log/messages

Sep 21 20:35:57 my-server bash[28245]: pavel : /home/pavel : PATH=$PATH:$HOME/bin
Sep 21 20:35:57 my-server bash[28246]: pavel : /home/pavel : export PATH
Sep 21 20:36:15 my-server bash[28247]: pavel : /home/pavel : sudo tail -50 /var/log/messages
Sep 21 22:42:01 my-server bash[28273]: pavel : /home/pavel : sudo tail -50 /var/log/messages
Sep 21 22:51:35 my-server bash[28276]: pavel : /home/pavel : sudo nano /etc/bashrc
Sep 21 22:51:48 my-server bash[28304]: pavel : /home/pavel : PATH=$PATH:$HOME/bin
Sep 21 22:51:48 my-server bash[28305]: pavel : /home/pavel : export PATH
Sep 21 22:51:58 my-server bash[28306]: pavel : /home/pavel : sudo tail -f /var/log/messages
Sep 21 22:54:46 my-server bash[28309]: pavel : /home/pavel : sudo nano /etc/bashrc
Sep 21 22:56:04 my-server bash[28312]: pavel : /home/pavel : sudo tail -10 /var/log/messages

That can play nicely with log aggregation services. Though it can't be used for security audit purpose, because it's easy to avoid this logging