Visit Jeremy's Blog.
Go Back > Blogs > unSpawn
User Name


Rate this Entry

Bash logging patches

Posted 06-12-2012 at 12:25 PM by unSpawn

Over the years we've seen quite a few "I want to log everything" questions asked for which I listed some pointers a while ago in several posts. To complement a recent "I want to capture all the operations performed in the terminal" question (thread: How to Capture a Unix Terminal Session?) I looked for Bash patches. Long story short: Bash 4 can be compiled with syslog support but still that shell will run as the user who logs in AFAIK. (So depending on your requirements for coverage and invasiveness of available solutions a multi-layered approach may be a better strategy.)

Patch availability:
- Bash 2 patch logs time, terminal, hostname and commands of all users into a single file: (set append-only extended attribute and have rsyslog read the file into (remote) syslog?),
- Bash 2 patch by Antonomasia ( copy): (used at the time in the Honeypot project IIRC),
- Bash 3 patch
- another Bash 3 patch:
- Bash 4 is able to log the history to syslog: (,

Other reading material (do sort good implementations from bad ones): (and

Also see:
Audit: (also see for Steve Grubb's Bash patch and pages like and for audit examples)
Rootsh logs all echoed keystrokes and terminal output to a file and/or to syslog:
Snoopy Logger logs commands to syslog, with uid and sid and tty path:
FUSE loggedFS: (example:
PAM selective logging per TTY: /usr/share/doc/pam-*/txts/README.pam_tty_audit
An LQ members own logging solution:

*Do* ask:
If after reading the above you have questions about how and what to log please post your thread in the LQ Linux - Security forum.
Posted in Uncategorized
Views 5908 Comments 0
« Prev     Main     Next »


All times are GMT -5. The time now is 02:59 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration