Via digininja's Twitter account, I have found this blog post that describes a set of Metasploit Linux Post Exploitation modules.
I think the list of executed commands is more or less complete, but I would also add the following :
# currently logged users and server uptime.
# all opened connections (TCP,UDP and Unix sockets) and the respective PID/UID
# same as before but only TCP and UDP
lsof -nn | egrep "TCP|UDP"
# the mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted
# Is the server exporing NFS volumes?
# tree view of all the processes
# last users that logged to the system. The -a flag puts the complete remote hostname on the last column
# similar to the previous one
# quick view of the log policy in the computer. The default is 4 weeks worth of logs.
ls -lat /var/log
# Are they sending logs to a centralized system?