Bash version 4.N has apparently the ability to write command-history to syslog, but I can't find information about how to configure this.
I have read several pages which offer hacks using the PROMPT_COMMAND
, and trap, and I know that there's a patch available, but this should be unnecessary, as it is now built in.
I know I can use auditd
to capture commands, but I'd like to use the bash/syslog combination.
Best Answer
This approach seems to be what you're looking for. This article discusses it, titled: Improving Bash Forensics Capabilities.
Excerpt:
So it would seem that though the feature is available in Bash 4.1+ it's likely not compiled by default with the Bash in most of the popular distros.
I haven't found a method for seeing what options a given Bash was compiled with, so to answer that question, you'll likely need to look to the upstream
.spec
file used when building the Bash RPM, for example, on Redhat distros, the same approach can be used for Debian based distros as well.As confirmation I looked in the Bash
.spec
file for the Bash included with CentOS 7.2.1511 and it does not have this enabled:Rolling your own RPM
Here are the steps that I used to build my own Bash using the gist of what the above details spelled out.
download & install sourceTo start I downloaded a source RPM (SRPM) of Bash that's available for CentOS 7.x. After downloading it I installed it into my
patchrpmbuild
directory:This will unpack files into
rpmbuild/SPEC
&rpmbuild/SOURCES
. Now we're going to make a copy of the contents of the unpacked Bashtar.gz
file using these steps:Edit
rpmbuild/SOURCES/bash-4.2/config-top.h
and make it look like this:Edit
rpmbuild/SOURCES/bash-4.2/bashhist.c
and makebash_syslog_history
function look like this:Now generate a
.patch
file which includes our changes to these 2 files:Add these lines to
build$HOME/rpmbuid/SPEC/bash.spec
. Put these lines into the appropriate places in the SPEC file:Now build it:
The tail end of this build will look like this:
installOnce complete, we can install the resulting RPM:
configure rsyslogNow modify rsyslog's
/etc/rsyslog.conf
config:Then restart Rsyslog:
test & confirmNow run a new instance of Bash as root, and run a couple of commands:
And tail the log file,
/var/log/bash-log/127.0.0.1.log
:Notice the
CMD=...
lines in this log? These are the commands we just ran, als
&tail
.Prebuilt?
To help people out with this I've taken the liberty to build the Bash RPM with the modifications made in Copr.