As a system administrator. sometimes we see the users are trying some commands dangerous for the system health and remove them from their individual coomand history file.
How it is possible to enforce that the normal usres will will not be able to modify the history.
Thanks in advance.
Partha
If they know how to use history files youre doomed...
Alternatives?
Well
1) audit on the those commands...
2) remove execute privilege for them on those commands and install and use sudo so they have to use sudo to execute those commands (you will have to configure properly the sudoers file...) for sudo will log all the sudo activity AND the user cannot remove sudo logs...
What type of dangerous commands are the users capable of executing ?
Most dangerous commands are limited to root, other than rm.
If these users have access to files they should not then fix your security instead of trying to cover it up.
Turn off the history file option ? set HISTFILE=/dev/null or something else the user does not have permission to.
We have the following in our /etc/profile:
HISTFILE=/var/log/hist/$USER`date +%Y%m%d%H%M%S`.hist
HISTSIZE=100000
That keeps a nice, timestamped record of everything. Then you can copy that off to another location every now-and-again for posterity's sake.
Of course, this only works for people who don't know where to look to find such things.
What do they do to the history?
>.sh_history ?