linux:linux_audit_user_commands
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:linux_audit_user_commands [2025/09/14 19:02] manu |
linux:linux_audit_user_commands [2025/09/15 19:21] (current) manu |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| Set PROMPT_COMMAND to log every command to syslog | Set PROMPT_COMMAND to log every command to syslog | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | PROMPT_COMMAND='history -a >(logger -t "[$USER] $SSH_CONNECTION")' | + | PROMPT_COMMAND='history -a >(tee -a $HISTFILE | logger -p local6.notice -t "[$USER] $SSH_CONNECTION")' |
| </cli> | </cli> | ||
| + | |||
| + | /etc/rsyslog.conf | ||
| + | <code> | ||
| + | # Log every command executed by a user to a separate file | ||
| + | local6.* /var/log/commands.log | ||
| + | </code> | ||
| + | |||
| + | <cli prompt='$'> | ||
| + | $ tail -f /var/log/commands.log | ||
| + | Mar 28 14:23:56 ip-3-168-15-118 shell[9346]: docker ps | ||
| + | Mar 28 14:23:58 ip-3-168-15-118 shell[9346]: docker ps -a | ||
| + | Mar 28 14:26:01 ip-3-168-15-118 shell[9346]: cat /etc/rsyslog.conf | ||
| + | Mar 28 14:27:02 ip-3-168-15-118 shell[9346]: tail -f /var/log/commands.log | ||
| + | Mar 28 14:27:05 ip-3-168-15-118 shell[9346]: ls -lsh | ||
| + | Mar 28 14:27:07 ip-3-168-15-118 shell[9346]: pwd | ||
| + | </cli> | ||
| + | |||
| + | |||
linux/linux_audit_user_commands.1757869350.txt.gz · Last modified: 2025/09/14 19:02 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
