Command history records generated by Unix shell is one of the important sources of system auditing information. But command history does not include sufficient information for intrusion detection and the history records can be easily modified by user themselves. With Linux loadable kernel module technique and system call interception, an extension to security auditing mechanism of Linux shell is implemented in this paper, and then some examples are given for security monitoring with the new mechanism.