I want every single command typed to go to a logserver. Already configured is the syslog-ng to send all logs to the logserver.
I'm interested in any and all methods to do this. I would expect some discussion of rogue users and security but the first primary objective is to simply get the sessions to log. All sessions are over ssh but console connection commands should be logged as well. I would like this to happen for any shell but the primary one is bash. (Again, I know a rogue user could create their own shell... )
This is not how you approach the problem. Once you give shell access to a user, you are entrusting that user to do anything he/she has the proper permissions to. Forget command logging, there are way too many ways to execute a command in any Unix system.
For example, the user may start a mail client (the only command logged is
pine, for example), in there he selects "Compose" which starts VI, and from VI he launches any command he wants through:!cmd. This command isn't logged anywhere, and from the point-of-view of the system, it is like any helper application called by VI, like grep or sort. The only command logged by the shell waspine.It seems that what you actually want is called auditing. Enable the auditing subsystem and use the
auditctlcommand and theauditddaemon from the audit package to control what is logged. More information is in the auditctl(8) manual page.Note that logging every process instantiation it may also not be optimal. For example, the simple
./configurefor a software package (created using autotools) is notable for creating thousands of process instantiations. This will flood the auditing log with so much noise that it becomes very hard to analyze it later.Install the
acctpackage (package name varies by distro, also known as process accounting) and uselastcomm <username>:You can also search by tty or command name. As usual,
man lastcommfor more info.If you're willing to do a little C programming, you can do this by writing a library that wraps execve, logs to syslog, then dlopen's the library containing the real execve syscall. Then in /etc/environment, set LD_PRELOAD to the path for the library you've made.
You will want to be careful about entering a loop here, so you may want to either only log the exec's of certain binaries, or exclude others (like syslog) from being logged.
Sounds to me like you're looking for something like rootsh (man page). To quote the man page:
Despite the name, this can be used for any user.
You're probably better off having users use sudo (or similar) to run commands you care about, and trusting the users at some level. As you get closer to "fully controlling" things, the harder it is to track down what they're doing. I've recently been looking at tools like this, for example. Mostly they just create logs which are difficult to manage if you have enough users and machines to make such a thing worthwhile. :)
Consider all the information you'll be generating. How much of it do you care about? Probably very little - so you're generating logs that are mostly worthless. Auditing the things you actually care about, like others are suggesting, probably gets you to a better end state.
Bash can be compiled with syslog support since 4.1.
It's not foolproof (process accounting might be better for that), but it's mostly user interaction; the volume should be more manageable and you'll be able to switch to something more detailed if suspecting something abnormal.
That said, this is way intrusive and as a user I would expect a very specific privacy warning before you started doing that.
There's also sudosh (http://sudosh.sourceforge.net) that will do session logging. You have the option of running it as a defined shell for a user or through sudo. It tracks timings for each session as well so you can replay the session and watch it (including edit sessions and whatnot).