Bash: History to Syslog

Bash Shell

For those who still ignore, Bash 4 is out for a few days! Bash is the most used shell on UNIX hosts. Bash has a built-in mechanism to save a log of all commands executed by the user (default in $HOME/.bash_history) but this file belongs to the user itself and can be altered or removed when the shell exits. This is not a safe way to audit users activity.

Here are two methods to send a copy of all commands executed by the users to a Syslog server. The first one will use the Bash “trap” feature. The second one is a patch to apply in the Bash source code.

Using a trap

Just add the following lines in your /etc/profile:

function log2syslog
   declare command
   command=$(fc -ln -0)
   logger -p local1.notice -t bash -i — $USER : $command
trap log2syslog DEBUG

/etc/profile is parsed and executed when Bash is started. The goal is to use the trap feature and call a function each time the user generates activity. The trap function (log2syslog) will extract the last command from the history and log it to Syslog using the logger command. Very easy to implement but this method:

  • spawns new process at each command logged (can have a negative effect when the server activity is high)
  • is not transparent to the user (regular users can’t edit /etc/profile but can read it!)

That’s why the second method will be preferred.

Using a patch

The method is to apply a patch on the Bash source tree and recompile the shell. It requires a environment with a compiler and the source code but this method will use less CPU and will be completely transparent!

An example of patch is available here. It takes five minutes to manually apply the patch to the Bash 4 source tree.

Here is an example of Syslog message:

Feb 27 19:30:51 honey bash: HISTORY: PID=21099 UID=1000 echo foo!

To conclude, don’t forget that, on a legal point of view, your users must be aware of the activity monitoring in place! Adapt your message-of-the-day file (/etc/motd) to remind that the activity is logged.