The user log is maintained under the history file in their home directories, but the history of commands is dumped to the history file after the user logs off.
Like in "ln -sf /dev/null ~/.bash_history"?
I want to trace the history of all user commands and dump them into a log file being maintained under manager.
There's a few options for logging I can think of:
- honeypot Bash shell with syslogging:
http://www.rootshell.be/~unspawn/packaging/bash.html
- LKM to track execve's like Syscalltrack or procmon
- Grsecurity(.net) (or other) reinforced kernel with the audit options on
all options have drawbacks. I'm using Grsecurity.