Yes, history is a bash internal command and that's why I opened initally this thread because I wanted to know if there is any chance to track internal bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't do the job.
 
 
Gesendet: Mittwoch, 09. Februar 2022 um 02:09 Uhr
Von: "Casey Schaufler" <casey@schaufler-ca.com>
An: "André Letterer" <andre.letterer@web.de>, "Richard Guy Briggs" <rgb@redhat.com>
Cc: Linux-audit@redhat.com
Betreff: Re: How to configure auditd to register like internal bash commands?
On 2/8/2022 4:24 PM, André Letterer wrote:
> Yeah, it's a very good start.
> However it seems it still doesn't do what I want.
> It seems only changing the 2 files doesn't do the job:
>           nano /etc/pam.d/system-auth
>             session    required     pam_tty_audit.so disable=* enable=logs log_passwd
>           nano /etc/pam.d/password-auth
>             session    required     pam_tty_audit.so disable=* enable=logs log_passwd
> I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one.
> However unfortunately commands like "history -c" don't still trigger an entry...

There are a significant number of commands that are shell built-ins,
including "history".

> Is there still a follow-up idea on this?
> *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr
> *Von:* "Richard Guy Briggs" <rgb@redhat.com>
> *An:* "André Letterer" <andre.letterer@web.de>
> *Cc:* Linux-audit@redhat.com
> *Betreff:* Re: How to configure auditd to register like internal bash commands?
> On 2022-02-07 23:37, André Letterer wrote:
> > Hi folks,
> >
> > I would like to have some help on configuring auditd for very short
> > running commands like
> > unset ...
> > set ...
> > export ...
> > history -c
> >
> > or similar commands.
> > How would that be possible?
> > Would you mind please to help me on some knowledge about that?
>
> You may want to look into pam_tty_audit, but it may flood your logs.
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit