Search

Howto – bash audit / command logger

Introduction

Having a complete history of all typed commands can be very helpful in many scenarios:

  • when several administrators work together on the same server and need to know what was done previously
  • when someone need to redo an older sequence of commands or to understand an undocumented maintenance process
  • for troubleshooting or forensic analysis, by crosschecking the date of an event or of a file with the commands executed at that date

The standard ‘.bash_history’ file of the shell is unfortunately not written on disk in the case of a crash and it may be deleted by the user.
Another problem is that when many shell sessions are running concurrently, their logging will only occur when they are closed, therefore the commands of the history will not appear in their chronological order.
Furthermore, ‘.bash_history’ will not include essential information like the ‘working directory’ of the command; and by default the repetition or re-edition of commands will not be logged, too.

Read more