vim /etc/bashrc
export PROMPT_COMMAND='
RETRN_VAL=$?;
LAST_COMMAND=$(history 1);
if [ "$LAST_COMMAND" != "$LAST_RECORDED_COMMAND" ]; then
echo "$(date "+%Y-%m-%d %H:%M:%S") : $(whoami) : $LAST_COMMAND" >> /var/log/command_hist
ory.log;
LAST_RECORDED_COMMAND="$LAST_COMMAND";
fi
'
trap 'echo "$(date "+%Y-%m-%d %H:%M:%S") : $(whoami) : Exiting shell" >> /var/log/command_hi
story.log' EXIT
|
vim /etc/rsyslog.d/histroy_command_auditing.conf
module(load="imfile" PollingInterval="1")
input(type="imfile"
File="/var/log/command_history.log"
Tag="command_history"
Severity="info"
Facility="local0")
if $programname == 'command_history' then @@10.0.0.17:514
|