On a server requirements are that all commands issued by root or using sudo must be sent to syslog, with real user's name (PCI requirement).
For the standard shell (bash) this is not a problem, simply added this line to /root/.bashrc:
But the server also has tcsh, how do I configure it there?
I've tried to use 'precmd' in /root/.cshrc but it fails to log anything. The closest I got is
This doesn't output any error message when switching shell to tcsh, but still nothing is logged.
Putting single quote around the command almost works - when logging in it's like command waiting to finish, if I press <enter> I get a line in /var/log/messages - so it obviously logs to syslog! (And I've tried all 3 single quotes).
But then, the prompt just hangs, like with a not completed command.
Setting the command between parenteses I get "Badly placed ()'s"

And tcsh cannot be removed (required by subversion and some other apps we simply must have).
Server is running OpenSuse 12.1.

Any ideas?

While that's certainly creative (and let's forego talking about protecting variables) it relies on the user land process itself to perform logging and I hope you can see what uncertainties (at least) that causes wrt the integrity of what's being logged (and how will you find out if nothing was logged BTW? ;-p).


We've actually got quite a few "I want to log everything"-like threads at LQ. If you search for my handle in combination with search terms like audit, rootsh, sudosh you should find some to read.