michaelspost.com


Posts and stuff


Simple and easily disabled (User can kill the processes)
PROMPT_COMMAND='history -a >(logger -t "[$USER] $SSH_CONNECTION")'
More complex, but user won't be able to stop it
Add this line to your pam configuartion for whatever service you'd like to track (All users). Also, the auditd service needs to be running.
session    required     pam_tty_audit.so enable=*
Or, disable it for some users, only enable it for some. The command also has log_passwd which will catch hidden input fields like passwords.
session required pam_tty_audit.so disable=username,anotheruser enable=username log_passwd
Then run the following command to view the results. It's a bit ugly and shows users by UID, but it works.
aureport --tty