|
From: | dethrophes |
Subject: | Re: Saving command history for non-interactive shell |
Date: | Sat, 17 Mar 2012 22:10:54 +0100 |
User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 |
Am 16.03.2012 15:56, schrieb Greg Wooledge:
Just a suggestion but if its only about ssh then you could chroot to a new base and replace the bash with a bash script.On Fri, Mar 16, 2012 at 02:33:35PM +0000, Lars Peterson wrote:Is there a way to configure bash so that commands from a non-interactive shell are preserved in the history? I'm more interested in saving commands invoked via ssh vs shell scrpts.From CHANGES, for bash 4.1: l. There is a new configuration option (in config-top.h) that forces bash to forward all history entries to syslog. However, that only applies to commands that bash is already adding to its history. So you'd also have to do a "set -o history" command at some point, since non-interactive shells don't do that by default. That might be tricky to arrange. And of course you'd have to force the ssh user to use your specially compiled bash with the SYSLOG_HISTORY option, and not some other shell. If the larger context is "I want to know everything my users are doing", you're going to end up frustrated. Unix simply wasn't designed to lock users down. Quite the opposite -- it was designed to give users full power. Users can make system calls without going through a shell, by writing C code and so on. They can also invoke processes without using a shell, if processes are the thing you actually want to track, rather than, for instance, file system operations. If any of the above resembles your actual goal, then you need to look into "accounting" ("process accounting", etc.). It's a huge topic, and logging shell commands doesn't even come close to addressing it.
or change the default shell. to something like this. file /bin/bash #!/bin/realbash exec /bin/realbash -o history "${@}"i.e. so that when bash is called you enable history. haven't really tried it but I think it should be possible.
or do something like /bin/bash #!/bin/realbash exec logapp /bin/realbash -o xtrace "${@}" /bin/logbash #!/bin/bash exec logapp /bin/bash -o xtrace "${@}" testsctipt.sh #!/bin/logbash do something here ..... just some rough ideas.I mean depending on your setup you could either change the account default shell, only allow execution of the special logging shell, or just specify the logging shell in you hash bang entry.
heck you could even do something really crazy like manually read the bash input/script usinf read and eval each line of code,
something like while read -re ; do echo "${REPLY}"eval "${REPLY}" ## not saying its a good idea just that there are a lot of ways to skin this particular fish.
done or even something like /bin/logscript #!/bin/bash trap 'echo "${BASH_COMMAND}" >> Logfile' DEBUG source "${1}"
[Prev in Thread] | Current Thread | [Next in Thread] |