-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathforward_bash_history.sh
60 lines (43 loc) · 1.32 KB
/
forward_bash_history.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/bash
# Author: Ali_Alwashali
if test -f "/etc/bashrc"; then
FILE=/etc/bashrc
else
FILE=/etc/bash.bashrc
fi
cat << EOF >> $FILE
# Added: bash history logging
export HISTTIMEFORMAT="%F %T "
export PROMPT_COMMAND='logger -p local6.debug "\$(whoami) \$(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [\$?]"'
EOF
# create log file and assign permission to syslog user
mkdir /var/log/bash_history/
touch /var/log/bash_history/bash_history.log
chown syslog /var/log/bash_history/bash_history.log
cat << EOF > /etc/rsyslog.d/bash_history_forwarding.conf
local6.* /var/log/bash_history/bash_history.log
EOF
# select the facility you want, *.* is very intense. authpriv.* could be a good start
cat << EOF >> /etc/rsyslog.conf
## logs fowarding to syslog server
*.*;local6.* @syslog_IP:514
EOF
cat << EOF > /etc/rsyslog.d/bash_history_forwarding.conf
local6.* /var/log/bash_history/bash_history.log
EOF
# rotate file
cat << EOF >> /etc/logrotate.d/bash_history
/var/log/bash_history/*.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
EOF
sudo systemctl restart rsyslog.service