This is a handy way to log user’s bash histories to syslog without making any modifications to the bash source code itself. Simply drop the following snippet into either the per-user or system-wide bash profile (~/.bash_profile and /etc/profile, respectively)

function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

This won’t guarantee you log consistency in the event of a compromised host but you’ll certainly have and increased ability to correlate events on your systems.

This entry was posted on Tuesday, October 27th, 2009 at 2:08 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.