Thanks for any help.

I'm helping configure a machine to log keystrokes using /usr/bin/script function. For each session, a log file is created that includes the POSIX time. $PS1 is changed to reflect the current time and name of the user so that anytime something is typed - we know when and what.

My problem is that /usr/bin/script launches a new (SHLVL 2) non-login shell with the standard 'bash-4.2$' prompt, and I can't find which/whose profile is being sourced so that I can change $PS1. /usr/bin/script is launched by root.

Simply, what profile is being sourced by a SHLVL 2 non-login session owned by root, within a session started by a standard user? (It doesn't seem to be /root/.bashrc or /root/.profile)

Alternatively - how can I force a bash profile to be read at every shell, interactive, non-interactive, non-login ,etc.

Edit: Users .bashrc .bash_profile and .profile all have a defined $PS1. Once in the nested shell, I can source any of these to change the prompt.

  • I'd check /etc/ and the user's profile.
    – choroba
    Commented Nov 24, 2014 at 16:18
  • Is this a feature for trusted users or an attempt at a hacker-proof logging system? That will probably influence the type and complexity of the solution.
    – l0b0
    Commented Nov 24, 2014 at 17:50
  • @l0b0 It is a feature for trusted users. It is a closed system so logon access is tightly controlled. At the same time, we do not want to have multiple admin users.
    – clargr1
    Commented Nov 24, 2014 at 18:03

1 Answer 1


There already exists a solution for this: sudo. From man 5 sudoers:

sudoers can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both. By default, sudoers will log via syslog(3) but this is changeable via the syslog and logfile Defaults settings.

  • Yes, we use auditd to monitor system events and create a separate log file for these, but my goal is also to get all keystrokes through the /usr/bin/script function.
    – clargr1
    Commented Nov 24, 2014 at 20:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .