Hi,
I have a linux redhat 9 server and I am concerned about the security on that server.
I would like to be able to write a script that records all the commands that were typed at the command prompt before the user calls the 'history -c' command and deletes all the history.
I was thinking about firing or triggering that bacth script upon the call to history. Is this doable and if not are there any other alternatives?
Thanks --
If you have updated the kernel to 2.6 - consider inotify. It allows you to specify a directory or file to watch.
We have all of the history files in one directory - man ksh or man bash for HISTFILE. Set HISTSIZE(or HISTFILESIZE for bash) to a large number ~1000.
What problems are you having - do you not have the system locked down?
Thanks for the reply.
I have kernel 2.4. Whenever I log in to the machine I see that the history file has been purged. I want to create a script that saves a version of the file before it gets deleted. I have locked down my machine but want to monitor internal users and make sure no harm is being done.
Thanks again.
What history file - ie., for what user? If you have the HISTFILE variable set as readonly
and then start inotify or something else to do a change notify on the HISTFILE directory, you will catch whoever is playing games.
If there are users who can su root, that means your system is not locked down.
I wrote the following script that executes every minute:
export LOGNAME PATH
shopt -s histappend
PROMPT_COMMAND='history -a'
d=`date +%y_%m_%d%H%M%S`
#RECFILE=/root/.sessionlog/${LOGNAME}_$d
RECFILE=/root/.sessionlog/${LOGNAME}
echo "***************">> $RECFILE
echo $d >> $RECFILE
history >> $RECFILE
This copies the history log to a file and I scheduled this script to run every minute.