I want every single command typed to go to a logserver. Already configured is the syslog-ng to send all logs to the logserver.
I'm interested in any and all methods to do this. I would expect some discussion of rogue users and security but the first primary objective is to simply get the sessions to log. All sessions are over ssh but console connection commands should be logged as well. I would like this to happen for any shell but the primary one is bash. (Again, I know a rogue user could create their own shell… )
Best Answer
This is not how you approach the problem. Once you give shell access to a user, you are entrusting that user to do anything he/she has the proper permissions to. Forget command logging, there are way too many ways to execute a command in any Unix system.
For example, the user may start a mail client (the only command logged is
pine, for example), in there he selects "Compose" which starts VI, and from VI he launches any command he wants through:!cmd. This command isn't logged anywhere, and from the point-of-view of the system, it is like any helper application called by VI, like grep or sort. The only command logged by the shell waspine.It seems that what you actually want is called auditing. Enable the auditing subsystem and use the
auditctlcommand and theauditddaemon from the audit package to control what is logged. More information is in the auditctl(8) manual page.Note that logging every process instantiation it may also not be optimal. For example, the simple
./configurefor a software package (created using autotools) is notable for creating thousands of process instantiations. This will flood the auditing log with so much noise that it becomes very hard to analyze it later.