How could I programmatically detect if a Linux machine is being controlled by a user that has logged in using a serial console? I would be doing the checking through BASH.
The who command will give you a list of users logged on and where they are logged on from.
For example:
~$ who
john pts/1 2009-07-29 10:06 (ourcompanyvpnserver.org)
mary tty7 2009-07-29 10:11 (:0)
frank pts/2 2009-07-27 12:10 (att.net)
jim pts/4 2009-07-28 14:51 (comcast.net)
The output of who indicates "how" the users are logged in. User mary's console is hooked into tty7 The tty indicates that mary is logged in physically via a serial console. So mary has the ability to control the computer through the serial console.
In order to determine what she is doing you would need to look at her.bash_history file. Usually this is under /home/mary/.bash_history .
If you want to long term log all commands that come in over a serial console (aka keyboard attached to that machine), I would modify the linux serial driver to log all input and output. I do not know how hard that would be.