GNU Bash 4.1 has all the code to enable command logging, simply by editing the config-top.h file.
/* Define if you want each line saved to the history list in bashhist.c: bash_add_history() to be sent to syslog(). */ /* #define SYSLOG_HISTORY */ #if defined (SYSLOG_HISTORY) # define SYSLOG_FACILITY LOG_USER # define SYSLOG_LEVEL LOG_INFO #endifto:
/* Define if you want each line saved to the history list in bashhist.c: bash_add_history() to be sent to syslog(). */ #define SYSLOG_HISTORY #if defined (SYSLOG_HISTORY) # define SYSLOG_FACILITY LOG_USER # define SYSLOG_LEVEL LOG_INFO #endifAnd all commands in interactive shells are logged. (don't forget to add the other 9 official bash patches to get to code level 4.1.9) One thing I did notice is that in Solaris, the PID was being logged with the log entry to syslog, however this was not the case in linux. Rather the PID was being logged by the log entry %s itself.
if (strlen(line) < SYSLOG_MAXLEN) syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);Resulting in log entries like:
Dec 7 23:13:02 linux bash: HISTORY: PID=1752 UID=1001 lsI don't really like that format, either. I'd rather see usernames and commands, and have the pid over on the left with the 'bash:'. This was a pretty simple change in code to:
openlog("bash",LOG_PID,SYSLOG_FACILITY); if (strlen(line) < SYSLOG_MAXLEN) syslog (SYSLOG_LEVEL, "[%s] %s", current_user.user_name, line);This results in log entries that look like:
Dec 7 23:26:39 linux bash: [tkennedy] ls
To me, this is a much more readable log file. Perhaps that's because I'm used to the log format that the BOFH patched tcsh shell, which we also use, uses. Now bash and tcsh log in identical formats. Our users have been informed that bash and tcsh are acceptable for interactive shells on Linux, and there were no exceptions. On Solaris we encourage the use of bash or tcsh for interactive shells in the hopes that consistency lends itself to stability, although we use the RBAC aware pf- shells for role accounts like 'oracle' which encourage ksh.
Here's my patch to bashhist.c that logs entries the way I like them: