Often we've had boxes compromised, or commands run that we have no idea who did it and at what time. Its very frustrating, especially when we have no idea if a customer did it, one of the staff, or if a box was compromised.
Glenn found this little snippet which is now default in all new VPS we have.
now you can run the following command
wishes@tulip:~$ history | tail -n 2 502 2009-10-15-11:26 vim .bashrc 503 2009-10-15-11:26 history | tail -n 2
If you want this permanent you can put it into /etc/profile on a line by itself. This will then be sites wide.