linux:linux_audit_user_commands
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
linux:linux_audit_user_commands [2025/09/14 18:58] manu created |
linux:linux_audit_user_commands [2025/09/14 20:56] (current) manu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Log user commands ====== | ====== Log user commands ====== | ||
| + | Set PROMPT_COMMAND to log every command to syslog | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| + | PROMPT_COMMAND='history -a >(logger -t "[$USER] $SSH_CONNECTION")' | ||
| </cli> | </cli> | ||
| + | |||
| + | /etc/rsyslog.conf | ||
| + | <code> | ||
| + | # Log every command executed by a user to a separate file | ||
| + | local6.* /var/log/commands.log | ||
| + | </code> | ||
| + | |||
| + | <cli prompt='$'> | ||
| + | $ tail -f /var/log/commands.log | ||
| + | Mar 28 14:23:56 ip-3-168-15-118 shell[9346]: docker ps | ||
| + | Mar 28 14:23:58 ip-3-168-15-118 shell[9346]: docker ps -a | ||
| + | Mar 28 14:26:01 ip-3-168-15-118 shell[9346]: cat /etc/rsyslog.conf | ||
| + | Mar 28 14:27:02 ip-3-168-15-118 shell[9346]: tail -f /var/log/commands.log | ||
| + | Mar 28 14:27:05 ip-3-168-15-118 shell[9346]: ls -lsh | ||
| + | Mar 28 14:27:07 ip-3-168-15-118 shell[9346]: pwd | ||
| + | </cli> | ||
| + | |||
| + | |||
linux/linux_audit_user_commands.1757869095.txt.gz ยท Last modified: 2025/09/14 18:58 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
