Track user commands

mishkamima · November 18, 2009, 2:46am

Hi,
I have a unix server and I am concerned about the security on that server.
I would like to be able to write a script that records all the commands that were typed at the command prompt before the user calls the 'history -c' command and deletes all the history.
I was thinking about firing or triggering that bacth script upon the call to history. Is this doable and if not are there any other alternatives?

Thanks --

GaneshCPUX · November 18, 2009, 5:52am

Use "fc -l" to show a history of the last commands.

mishkamima · November 19, 2009, 1:44am

Thanks for your reply,

but the fc -l command works similarly to the history command.
once someone runs history -c, all the entries in the history file are deleted. This is why I need to write my own history script that runs in the background, or an easier solution would be to run a script that saves the entries in the history file in another file before erasing the history file.
Writing the script is trivial, what is not trivial to me is triggering the script when the history -c command is run.

Anyone has an idea how to do that ?

dplinux · November 19, 2009, 3:05am

Well from my knowledge there is no #history command. it is an alias to #fc command.
Solutions to your problem
create an entry in crontab. which backsup the history file every few minutes or everytime the history file is updated.

drl · November 19, 2009, 11:47am

Hi.

On some versions of Linux and Solaris (possibly old Solaris versions), a process accounting scheme can be made available. I know that I once used this mechanism on Sun boxes to tabulate command usage ... cheers, drl

       If  the  kernel  is  built with the process accounting option enabled (
       CONFIG_BSD_PROCESS_ACCT ), then calling acct(2) starts process account-
       ing, for example:

           acct("/var/log/pacct");

       When  process  accounting is enabled, the kernel writes a record to the
       accounting file as each process on the system terminates.

more in chapters 2 and 5 man acct

mjkroner · November 24, 2009, 12:45pm

Have you experimented with altering the fc command ?

mishkamima · November 26, 2009, 5:05am

I wrote the following script that executes every minute:

export LOGNAME PATH
shopt -s histappend
PROMPT_COMMAND='history -a'

d=`date +%y_%m_%d%H%M%S`
#RECFILE=/root/.sessionlog/${LOGNAME}_$d
RECFILE=/root/.sessionlog/${LOGNAME}

echo "***************">> $RECFILE
echo $d >> $RECFILE
history >> $RECFILE

This copies the history log to a file and I scheduled this script to run every minute.

methyl · November 26, 2009, 9:55am

I haven't got a "-c" option to "fc".
What O/S and shell do you have?

What is the output from:

type history