[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Saving command history for non-interactive shell

From: Lars Peterson
Subject: RE: Saving command history for non-interactive shell
Date: Fri, 16 Mar 2012 16:39:13 +0000

Thanks Greg.

I get what you're saying about the futility of recording everything users do. 
And I'm not interested in setting up a big brother / spy machine that will 
invoke the wrath of the Unix gods.

I'm not interested in security here...just auditing. We have a lot of scripts 
and commands that run from remote machines and I was just hoping that there was 
a way to capture their history on the server side vs the clients and 
workstations. I realize that this is semi-doable via an audit of syslog's 
AUTHPRIV facility; it makes forensics much easier to have everything stored in 
the shell's history though.

Think I'll take a pass on using the SYSLOG_HISTORY approach -- compiling a 
customized bash sounds like trouble.


-----Original Message-----
From: Greg Wooledge [mailto:address@hidden 
Sent: Friday, March 16, 2012 9:56 AM
To: Lars Peterson
Cc: address@hidden
Subject: Re: Saving command history for non-interactive shell

On Fri, Mar 16, 2012 at 02:33:35PM +0000, Lars Peterson wrote:
> Is there a way to configure bash so that commands from a 
> non-interactive shell are preserved in the history? I'm more 
> interested in saving commands invoked via ssh vs shell scrpts.

>From CHANGES, for bash 4.1:

l.  There is a new configuration option (in config-top.h) that forces bash to
    forward all history entries to syslog.

However, that only applies to commands that bash is already adding to its 
history.  So you'd also have to do a "set -o history" command at some point, 
since non-interactive shells don't do that by default.
That might be tricky to arrange.

And of course you'd have to force the ssh user to use your specially compiled 
bash with the SYSLOG_HISTORY option, and not some other shell.

If the larger context is "I want to know everything my users are doing", you're 
going to end up frustrated.  Unix simply wasn't designed to lock users down.  
Quite the opposite -- it was designed to give users full power.  Users can make 
system calls without going through a shell, by writing C code and so on.  They 
can also invoke processes without using a shell, if processes are the thing you 
actually want to track, rather than, for instance, file system operations.

If any of the above resembles your actual goal, then you need to look into 
"accounting" ("process accounting", etc.).  It's a huge topic, and logging 
shell commands doesn't even come close to addressing it.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]