Capturing all command history
Posted on 2005-04-11
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)
They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.
Is there a simple way to get what the user wants?