11

Is there an elegant way to log every command submitted in all shells on a machine? This is in the context of an infrequently-used Ubuntu server, of which I am the only human user. (There are several user accounts used by automated systems.)

I would like this to be unobtrusive and low-overhead, so I'd love it if there were a simple method involving something like script.

Improve this question

4 Answers 4

Reset to default
11

Since the dawn of time (actually dating back from the time when people had to actually pay real money per computer cycle they used) Unix and it's clones has had a system called Process Accounting (acct) built in. This allowed the system administrators to know exactly what their users were doing and so could bill them accordingly.

The acct facilities still exist in most Unix and Linux systems to this day.

This site: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html tells you how to enable it.

Improve this answer
4
  • Can this also be used to log which user performs sudo and su, and which of root's commands afterwards?
    – Daniel Beck
    Commented Mar 8, 2011 at 22:01
  • I believe it logs every command run, keyed by user, tty, etc. You can match up the commands on a tty with the user that was logged in to that tty to trace what users they su'd or sudo'd through.
    – Majenko
    Commented Mar 8, 2011 at 22:02
  • Thank you, I was totally unaware of this feature. A quick read of the man pages suggests that logging continues until a low-disk-space condition is reached - hence perhaps a need for a logrotate script.
    – jl6
    Commented Mar 8, 2011 at 22:36
  • i thought process accounting just logged which program ran, not the command with all its arguments ?
    – Sirex
    Commented Feb 1, 2012 at 12:42
3

You could use snoopy.

It is very simple to install and to remove (no kernel module or patching required). Note that this is not a proper auditing solution and it can easily be circumvented.

Disclosure: I am current snoopy maintainer.

Improve this answer
2
  • Bostjan Skufca has also provided additional instructions for installing snoopy in Ubuntu here and also in an additional comment in the same thread here.
    – karel
    Commented Nov 6, 2014 at 3:33
  • +1 for snoopy; it provides a nice log of command and arguments in /var/log/auth.log
    – David Goodwin
    Commented Jul 27, 2015 at 10:42
2

Here is a very nice and quick way to log all shell commands:

Step 1:

Use your favourite text editor to open /etc/bashrc and append the following line at the end:

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

Step 2:

Set the syslogger to trap local6 to a log file by adding this line in the /etc/syslog.conf file:

local6.*                /var/log/cmdlog.log

[See the Complete Blog Post Here]

Improve this answer
1
  • 1
    I alert user would be able to disable this be resetting the variable and because it is executed "prior to issuing each primary prompt" this fact would not be logged.
    – dmckee --- ex-moderator kitten
    Commented Jan 7, 2012 at 16:50
1

You can use sudosh as a shell wrapper. It includes automatic logging of everything you do, and can play back the log files. See its website for more information.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .