Busk: Created page with "Yes, you absolutely can log all commands for a specific user inside an LXD container without giving it privileged access. The best way to do this is by modifying the user's s..."

2025-10-17T18:26:14Z

Created page with "Yes, you absolutely can log all commands for a specific user inside an LXD container without giving it privileged access. The best way to do this is by modifying the user's s..."

New page

Yes, you absolutely can log all commands for a specific user inside an LXD container without giving it privileged access.

The best way to do this is by modifying the user's shell configuration files within the container. This approach doesn't require any special container privileges because it operates at the user and shell level, not the kernel level like `auditd`.

-----

### Using the User's `.bashrc` File

This method involves adding a logging command to the specific user's `~/.bashrc` file. Every time that user opens a new terminal or runs a command, it will be logged.

Here are the steps to follow **inside the LXD container**:

1. **Access the Container Shell**
First, get a shell inside the container you want to monitor.

```bash
lxc exec your-container-name -- bash
```

2. **Switch to the Target User**
If you are not already logged in as the user you want to monitor, switch to that user. Let's say the user is named `testuser`.

```bash
su - testuser
```

3. **Edit the `.bashrc` File**
Open the user's `.bashrc` file with a text editor like `nano`.

```bash
nano ~/.bashrc
```

4. **Add the Logging Command**
Scroll to the very end of the file and add the following line. This command uses `PROMPT_COMMAND` to execute the `logger` utility before each new command prompt is displayed.

```bash
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.info "USER: $(whoami) PWD: $(pwd) CMD: $(history 1 | sed "s/^[ ]*[0-9]\+ //" )"'
```

This line will log the **username**, their **current directory**, and the **command they just ran**.

5. **Configure Log Storage (as root)**
You'll need to tell the system where to store these logs. Exit from the user's session (`exit`) to return to your root shell within the container.

Create a new configuration file for `rsyslog`:

```bash
nano /etc/rsyslog.d/50-user-commands.conf
```

Add the following line to this new file. This tells `rsyslog` to send any logs from the `local6` facility to a specific file.

```
local6.* /var/log/user_commands.log
```

6. **Restart `rsyslog`**
Apply the changes by restarting the `rsyslog` service.

```bash
systemctl restart rsyslog
```

-----

### How It Works and How to View Logs

From now on, whenever `testuser` executes a command, it will be automatically logged to `/var/log/user_commands.log` inside the container.

To see the logs in real-time, you can use the `tail` command from within the container's root shell:

```bash
tail -f /var/log/user_commands.log
```

The output will look something like this:

```
Oct 17 12:18:01 container-name testuser: USER: testuser PWD: /home/testuser CMD: ls -l
Oct 17 12:18:05 container-name testuser: USER: testuser PWD: /home/testuser CMD: cd /tmp
Oct 17 12:18:09 container-name testuser: USER: testuser PWD: /tmp CMD: echo "hello world"
```

#### Important Considerations ⚠️

* **Bypassable**: A knowledgeable user could potentially bypass this logging by editing their own `.bashrc` file, using a different shell, or manually unsetting the `PROMPT_COMMAND` variable.
* **Bash Specific**: This method works for the `bash` shell. If the user uses a different shell like `zsh`, you would need to modify the corresponding configuration file (e.g., `~/.zshrc`).

Ssh audit bashrc - Revision history

Busk: Created page with "Yes, you absolutely can log all commands for a specific user inside an LXD container without giving it privileged access. The best way to do this is by modifying the user's s..."