Bash bofh - Probably the most common question I get is, why do I need this? And my response is, you don't. In a nutshell all it does is shows you when someone logs into a new shell (that calls bash) and logs their commands to syslog. If you're one of those paranoid, anti-big gov, then sorry this probably offends you. I personally love this patch, not only does it keep up with all 80+ IT users is doing our 300-450+ linux server environment in real time, but it also lets us go back and search old commands that we did a year ago but now have forgotten. I use it for just that exclusively. It's also nice way to figure out what people did to a server if it starts acting funny, or what they did last time when it acted funny.

Now if you're not offended too much, let's dig into how it's done:

I've written a helper script that pulls all the patches along with bash of any version: (required ncftp) Download fetchlatest.sh.

 
#!/bin/bash
if [ $# -ne 1 ]; then
        ncftpls ftp://ftp.gnu.org/pub/gnu/bash/bash-*
        echo "Enter the version, ie: 4.2"
        read ver
else
        ver=$1
fi

mkdir bash-$ver

cd bash-$ver


ncftpget ftp://ftp.gnu.org/pub/gnu/bash/bash-$ver.tar.gz
ncftpget ftp://ftp.gnu.org/pub/gnu/bash/bash-$ver-patches/*

echo "Extracting...."
tar zxf bash-$ver.tar.gz
echo "Patching...."
rm *sig bash-$ver.tar.gz

cd bash-$ver

for x in ../*; do
        if [ -f $x ]; then
                echo "patching $x"
                patch -p0 < $x
        fi
done

Now you should be in the actual build directory, let's apply my bash-bofh-4.2.7.patch (currently for 4.2.7)

diff -U 2 -r bash-4.2/bashhist.c bash-4.2_orig/bashhist.c
--- bash-4.2/bashhist.c 2011-03-15 10:00:47.000000000 -0500
+++ bash-4.2_orig/bashhist.c    2011-03-15 09:56:24.000000000 -0500
@@ -32,7 +32,4 @@
 #include "bashtypes.h"
 #include <stdio.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <sys/types.h>
 #include <errno.h>
 #include "bashansi.h"
@@ -684,7 +681,4 @@
 int force;
 {
-  struct passwd *pwd_ent;
-  pwd_ent = getpwuid(getuid());
-  syslog(LOG_INFO, "[%s] %s", pwd_ent->pw_name, line);
 if (check_history_control (line) && history_should_ignore (line) == 0)
 {
diff -U 2 -r bash-4.2/shell.c bash-4.2_orig/shell.c
--- bash-4.2/shell.c    2011-03-15 10:02:45.000000000 -0500
+++ bash-4.2_orig/shell.c       2011-03-15 09:56:25.000000000 -0500
@@ -40,6 +40,4 @@
 #include "filecntl.h"
 #include <pwd.h>
-#include <syslog.h>
-#include <sys/types.h>
 
 #if defined (HAVE_UNISTD_H)
@@ -571,10 +569,4 @@
 {
 char *term, *emacs;
-      struct passwd *pwd_ent;
-
-      openlog("bash", LOG_PID, LOG_LOCAL5);
-      pwd_ent = getpwuid(getuid());
-      syslog(LOG_INFO, "interactive shell started by username: %s UID: %d EUID: %d GID: %d EGID: %d",
-        pwd_ent->pw_name, pwd_ent->pw_uid, geteuid(), getgid(), getegid());
 
 term = get_string_value ("TERM");

Download bash-bofh-4-2-7.patch.

patch -p0 < bash-bofh-4.2.7.patch

Done! now compile as you normally would, if you can't remember your old ./configure line... Well that will soon be a thing of the past!

Here is the /etc/rsyslog.d/10-command.conf file I use:

local5.* /var/log/commands/commands.log

Make sure you don't let your logrotate your custom logfile!

This should work on bash 4.2, bash 4.2.1, bash 4.2.2, bash 4.2.3, bash 4.2.4, bash 4.2.5, bash 4.2.6, bash 4.2.7