Log every executed command to syslog.

Display operating system.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

Display default user, group, permissions, and umask for log files.

$ cat /etc/rsyslog.conf | grep "^\$File\|\$Umask"
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$Umask 0022

Ensure that executed commands are stored in a dedicated log file using clearly defined permissions.

$ cat << EOF | sudo tee /etc/rsyslog.d/01-snoopy.conf
# Send snoopy messages to a dedicated logfile
if (\$programname startswith "snoopy") then {
  action(type="omfile" fileOwner="root" fileGroup="root" fileCreateMode="0600" file="/var/log/snoopy.log")
  stop
}
EOF
# Send snoopy messages to a dedicated logfile
if ($programname startswith "snoopy") then {
  action(type="omfile" fileOwner="root" fileGroup="root" fileCreateMode="0600" file="/var/log/snoopy.log")
  stop
}

Restart rsyslog daemon to reread configuration files.

$ sudo systemctl restart rsyslog

Ensure that snoopy library will be preloaded after installation.

$ cat << EOF | sudo debconf-set-selections
snoopy snoopy/install-ld-preload boolean true
EOF

Install snoopy a shared library that will be used as a wrapper to the execve() function provided by libc as to log every call to syslog (authpriv).

$ sudo apt install snoopy
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  snoopy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 46.0 kB of archives.
After this operation, 123 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 snoopy amd64 2.4.6-5 [46.0 kB]
Fetched 46.0 kB in 0s (194 kB/s)
Preconfiguring packages ...
Selecting previously unselected package snoopy.
(Reading database ... 31939 files and directories currently installed.)
Preparing to unpack .../snoopy_2.4.6-5_amd64.deb ...
Unpacking snoopy (2.4.6-5) ...
Setting up snoopy (2.4.6-5) ...
Processing triggers for libc-bin (2.28-10) ...

Verify owner, group, and permissions on the created log file.

$ ls -l /var/log/snoopy.log
-rw------- 1 root root 1747 Jan 19 01:53 /var/log/snoopy.log

Display executed commands.

$ sudo cat /var/log/snoopy.log
Jan 19 01:53:33 debian snoopy[1275]: [login:milosz ssh:(10.0.2.2 57166 10.0.2.15 22) sid:999 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: /usr/bin/clear_console -q
Jan 19 01:53:35 debian snoopy[1280]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d
Jan 19 01:53:35 debian snoopy[1281]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: /etc/update-motd.d/10-uname
Jan 19 01:53:35 debian snoopy[1282]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: uname -snrvm
Jan 19 01:53:35 debian snoopy[1284]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: -bash
Jan 19 01:53:35 debian snoopy[1285]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: id -u
Jan 19 01:53:35 debian snoopy[1286]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: dircolors -b
Jan 19 01:53:40 debian snoopy[1299]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: ls --color=auto -l /var/log/
Jan 19 01:53:42 debian snoopy[1304]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: ls --color=auto -l /var/log/snoopy.log
Jan 19 02:10:50 debian snoopy[1305]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: sudo cat /var/log/snoopy.log
Jan 19 02:10:50 debian snoopy[1306]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:root(0)/root(0) cwd:/home/milosz]: cat /var/log/snoopy.log

Excellent!

ko-fi