Thursday, February 16, 2017

Eternal Bash History for users command auditing in linux

There are times when there is need to track the commands executed by the users. This include all the system users irrespective of the teams, so that if things go wrong it can easily be tracked who executed that command.

This also helps to resolve the disputes within team when 2 users claims that they haven't executed the command. Also if you are installing or doing some new configuration then you can refer to the commands executed by you.

Place the configuration in the /etc/bashrc

 if [ "$BASH" ]; then  
 export HISTTIMEFORMAT="%Y-%m-%d_%H:%M:%S "
 export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo "`date +'%y.%m.%d-%H:%M:%S:'`" $USER "("$ORIGINAL_USER")" "COMMAND: " "$(history 1 | cut -c8-)" >> /var/log/bash_eternal_history'
 alias ehistory='cat /var/log/bash_eternal_history'
 readonly HISTSIZE
 readonly HISTFILE
 readonly HOME
 readonly HISTIGNORE

The output will be copied in a file generated under the /var/log directory. Execute the following commands to create the log file

 touch /var/log/bash_eternal_history  
 chmod 777 /var/log/bash_eternal_history
 chattr +a /var/log/bash_eternal_history


Post a Comment