This is a temporary solution which takes care of the first question, as well as introduces the use of auditd interactively, outside of the pam_tty module solution provided in the other answer.
Using $BASH_COMMANDbash
So what'sthe new getshistory lines are written every time to the bash_history file every time because of PROMPT_COMMAND, and this value ends upsince $BASH_COMMAND is in the $BASH_COMMAND variabletrap, the command typed on the cli is the command being executed. If I remove the history -a, I can see my PS1 being echoed. So it's a fluke and maybe there's a better way of doing this but in the meantime this worksWorks perfectly and removes all the duplicate lines. The output includes also alias expansion which might validatefor some reason.
It is also possible to do this without the initial commenttrap using PROMPT_COMMAND only, like so:
PROMPT_COMMAND='history -w; history -a; history -r; command=$(fc -ln 0); logger -p local1.notice -t bash -i -- $USER : $command'
It doesn't show alias expansion, but it has a small defect I can't correct: if you just press enter with nothing else on the line, it outputs the last command to logs. You can't merge the arwn history options. We write the history we have to file, then write the appended history since the beginning of the session, then we read it back, and then we look for the last line.
zsh
With zsh we can use the precmd builtin function, similar to P_C, like so, with one shell specific shell option, all in .zshrc:
setopt incappendhistory
precmd () {
command="$(fc -n -e - -l -1)"
logger -p local1.notice -t bash -i "$USER : $command"
}
And that's it!
AuditAudit is an auditing package containing a daemon with plugins and reporting facilities. It uses a rules based approach (see security oriented audit.rules example herehere) to trap and log events. Install the package then make sure you have this in /etc/conf.d/auditd:
