Логирование bash history в /var/log
/etc/audit/auditd.conf aureport -h -i | uniq | grep root
кто подключался
auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands ausearch -k root-commands
Сохраняет ~/.bash-history в /var/log/historyROOT.log
gedit ~/.bashrc &
export HISTTIMEFORMAT="%h %d %H:%M:%S " PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")' export HISTCONTROL=ignoredups shopt -s histappend HISTSIZE=500 HISTFILESIZE=9999999999999
Прописать в gedit /etc/syslog.conf &
local6.info /var/log/historyROOT.log
touch /var/log/history.log && /etc/init.d/syslog restart
Перезапустить bash
source ~/.bashrc