It is important to monitor every command a system admin or operator executed on the servers. Additionally logging the changes made to systems are required to comply with information security legislation like ISO 27001.
In Linux, it can be possible using a simple function. Once you have a remote Rsyslog Server configured, append the following function and trap to /etc/profile file. /etc/profile file is sourced when a shell login occurs. So every time a command is executed, trap named trap_cmd_to_syslog calls the send_cmd_to_syslog function.
${remote_host} is extracted from the $(who am i) command. $BASH_COMMAND is the command currently being executed or about to be executed.
Comments
Post a Comment