Question for all sysadmins.
How do you keep track of what commands each user uses on his account. I thought an easy way is to monitor .bash_history, however those files can be "edited" by the user.
Is there a permission combination that will allow the shell to record to it but yet they can't edit it.
You can't really have a person updating a file like .bash_history and then disallow them to edit it (both actions require write premissions). Unfortunately Unix doesn't have as finely granuated file permissions as some other OS's. If you need to audit users activities you need an accounting program that logs targeted activities.
As a suggession perhaps you could run a cron job from root every minute or so to copy any changes to the .bash_history files to a secured directory. I haven't done this personally but it seems feesible.
Certainly points to the accounting solution once again, espcially if you have a savy user who knows he is being monitored in this way. Of course, the user would need to suspect that he was being monitored in this way, but sometimes what seems unlikely happens and I can see this taking place.
History is certainly useless since it's under control of the user. I looked in my bash book at saw:
Quote:
...HISTCONTROL variable. If set to ignorespace, any commands that you type that start with a space won't appear in the history.
And there are many other ways to defeat history including typing "sh" and running a bourne shell for awhile.
I hate to be a party pooper, but accounting is also easily defeated. But why bother? Suppose your accounting records shows that I did:
OK, now what did I do?
Some versions of unix have C2 level security features. You can configure them to track every system call invoked by every user. This puts a nasty load of the system though. Short of this, you aren't going to be able to reliably track what users do.
Hmm,...maybe I'm missing something here, but if you don't want your users to edit that file, why not just change ownership of the file to root, allow read and execute access only.
I am using the bash shell.
When I view my recent command history using the "history" command from the prompt, it only shows me the commands starting at #928.
The commands I need are earlier than that, but I can't figure out how to make the other 927 display.
They are in my .bash_history... (1 Reply)
Hi would like to ask if there is anyway to display .bash_history with timestamp using shell script?
i know that you should use history command with HISTTIMEFORMAT="%d/%m/%y %T " to display it in terminal but it does not work when i use it on shell script. It seem that you can't run history... (1 Reply)
rm -rf .bash_history some one ran rm -rf .bash_history on my Linux server(SUSE),I can see this command being run in current history, but I want the OLD history as well,can I recover the old history back. (9 Replies)
Hi - user commands are written in . bash_history of that user when he logs out. my bash_history file shows. not sure what that number means
#1329618972
ls -la
#1329618978
ls
#1329618980
ls -la
my bash_profile looks like this
PATH=$PATH:$HOME/bin
export PATH
export... (3 Replies)
Hi Experts,
I know my question would be strange but i need to understand how the .bash_history file is logging user actions (the mechanism) and if possible modify it to include also the date/time of every action done by the user.
Sample file:
# more .bash_history
ssh <IP address> -l axadmin... (3 Replies)
Dear All,
I am creating users on our servers. the .bash_history supposed to store all the commands entered by the user. My question is, how can I prevent the user himself from editing or viewing this file?
I have tried chaning the owner of the .bash_history to be the root user but... (5 Replies)
During the course of the session before I logout I see some of the commands listed from my previous session but not from my current session and after I logout and log back in I see the commands which I ran before logging out.
Does the .bash_history stay in the buffer or someplace else then?
... (2 Replies)