pam_tty_audit.so
How come no one ever told me about this! A while ago we were tasked to find a way to log all commands executed by root. I know bash_history is easily manipulated so I spent some time on google trying to find a logging shell, then got distracted by something shiny and forgot all about this task. Turns out the linux auditing system has a built-in tty logging accounting module that will log all tty sessions! Just add this to your pam stack (/etc/pam.d/system-auth on redhat and clones):
session required pam_tty_audit.so disable=* enable=root
Then run a few commands as root, and the aureport command will become your friend:
audit]# aureport --tty -ts today
TTY Report =============================================== # date time event auid term sess comm data =============================================== 1. 11/22/2009 00:07:52 132278 1040 ? 4294962295 bash "hello world",<ret>
UPDATE:
You need a newer version of the audit rpm package, tty info will be collected but aureport does not know how to display them.
