How can you log every command someone has entered into the shell?
I'm asking on both the basis of protecting yourself if you are logged into someone else's server and something breaks, or if someone else is logged into your server (either intentionally or maliciously).
Even a novice can bypass history with unset history
or create a new shell to hide their tracks.
I'm curious how the senior linux admins track what commands have been entered / changes made to the system.
Best Answer
Check out auditd. If you add
to
/etc/audit/audit.rules
every executed commands will be logged. See: http://whmcr.com/2011/10/14/auditd-logging-all-commands/Then send it to a syslog server.