intro

Edit home bashrc or add new /home/agungsurya/.bashrc:

sudo nano .bashrc

and add this line:

Versi V1 tapa detailVersi V2 dengan detailVersi V3 lebih detail

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )"'

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) - from $(echo $SSH_CONNECTION | awk "{print \$1}")"'

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) - from $(echo $SSH_CONNECTION | awk "{print \$1}") - PID $(ps ax | grep $$ | grep -v grep | awk "{ print \$2 }")"'

Run the following to load the changes:

source .bashrc

Edit /etc/rsyslog.d/bash.conf:

sudo -e /etc/rsyslog.d/bash.conf

and add the following line:

local6.*    /var/log/commands.log

Edit /etc/logrotate.d/syslog:

/etc/logrotate.d/syslog:

Edit /etc/logrotate.d/syslog:

sudo -e /etc/logrotate.d/syslog

and add the following line:

/var/log/commands.log

Restart rsyslog service:

sudo service rsyslog restart

The result will be similar to the following, where you can see commands executed by root and the other user as well:

Apr 21 10:47:20 hexadecimal agungsurya: agungsurya [655543]: ssh [email protected] -p 2441
Apr 21 10:53:48 hexadecimal agungsurya: agungsurya [655543]: cd /home/.ssh
Apr 21 10:53:53 hexadecimal agungsurya: agungsurya [655543]: cd /root/.ssh
Apr 21 10:55:19 hexadecimal agungsurya: agungsurya [655543]: sudo
Apr 21 10:58:11 hexadecimal agungsurya: agungsurya [655543]: sudo uname
Apr 21 10:58:18 hexadecimal agungsurya: agungsurya [655543]: neofetch
Apr 21 10:58:22 hexadecimal agungsurya: agungsurya [655543]: gapt
Apr 21 10:58:26 hexadecimal agungsurya: agungsurya [655543]: sudo uname -a
Apr 21 10:58:36 hexadecimal agungsurya: agungsurya [655543]: getent
Apr 21 10:58:47 hexadecimal agungsurya: agungsurya [655543]: sudo getent passwd agungsurya
Apr 21 10:58:50 hexadecimal agungsurya: agungsurya [655543]: sudo getent shadow agungsurya
Apr 21 10:59:14 hexadecimal agungsurya: agungsurya [655543]: unix
Apr 21 11:08:57 hexadecimal agungsurya: agungsurya [655543]: curl https://pastebin.com/raw/0DzuriyD
Apr 21 11:09:05 hexadecimal agungsurya: agungsurya [655543]: mkpasswd
Apr 21 11:09:35 hexadecimal agungsurya: message repeated 2 times: [ agungsurya [655543]: mkpasswd]

Versi V2

Apr 24 08:57:00 hexadecimal agungsurya: agungsurya [170618]: sudo nano /etc/ssh/sshd_config - from 223.255.228.101
Apr 24 08:57:06 hexadecimal agungsurya: agungsurya [170618]: sudo systemctl restart sshd - from 223.255.228.101
Apr 24 08:57:09 hexadecimal agungsurya: agungsurya [170618]: sudo systemctl restart ssh - from 223.255.228.101
Apr 24 08:57:57 hexadecimal agungsurya: agungsurya [175573]: tmux attach-session - from 142.202.243.83
Apr 24 08:58:00 hexadecimal agungsurya: agungsurya [175573]: pwd - from 142.202.243.83
Apr 24 08:58:03 hexadecimal agungsurya: agungsurya [175573]: ls - from 142.202.243.83
Apr 24 08:58:07 hexadecimal agungsurya: agungsurya [170618]: whomai - from 223.255.228.101
Apr 24 08:58:13 hexadecimal agungsurya: agungsurya [170618]: whoami - from 223.255.228.101
Apr 24 08:58:25 hexadecimal agungsurya: agungsurya [175573]: ping 8.8.8.8 - from 142.202.243.83
Apr 24 08:58:30 hexadecimal agungsurya: agungsurya [170618]: curl google.com - from 223.255.228.101

Versi V3

Apr 24 09:37:53 hexadecimal agungsurya: agungsurya [187943]: sudo tail -f /var/log/commandss.log - from 142.202.243.83 - PID pts/10
Apr 24 09:37:56 hexadecimal agungsurya: agungsurya [187943]: w - from 142.202.243.83 - PID pts/10
Apr 24 09:38:04 hexadecimal agungsurya: agungsurya [188070]: sudo tail -f /var/log/commandss.log - from 223.255.228.101 - PID pts/12
Apr 24 09:38:06 hexadecimal agungsurya: agungsurya [188070]: ls - from 223.255.228.101 - PID pts/12
Apr 24 09:38:08 hexadecimal agungsurya: agungsurya [188070]: clear - from 223.255.228.101 - PID pts/12
Apr 24 09:38:16 hexadecimal agungsurya: agungsurya [188070]: sudo tail -f /var/log/commandss.log - from 223.255.228.101 - PID pts/12
Apr 24 09:38:17 hexadecimal agungsurya: agungsurya [188070]: w - from 223.255.228.101 - PID pts/12
Apr 24 09:38:26 hexadecimal agungsurya: agungsurya [188070]: pkill -9 -t pts/10 - from 223.255.228.101 - PID pts/12
Apr 24 09:39:02 hexadecimal agungsurya: agungsurya [188481]: sudo tail -f /var/log/commandss.log - from 142.202.243.83 - PID pts/10
Apr 24 09:39:05 hexadecimal agungsurya: agungsurya [188481]: w - from 142.202.243.83 - PID pts/10
Apr 24 09:39:20 hexadecimal agungsurya: agungsurya [188481]: sudo cat /etc/passwd - from 142.202.243.83 - PID pts/10

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) - from $(echo $SSH_CONNECTION | awk "{print \$1}")"'