Usually on Linux server, we have issues with logging the commands that our users are running, especially with BASH. BASH doesn’t log the commands as soon as they’re executed, and the user can do a number of simple things to prevent the log from ever being written to the disk, preventing you from knowing what’s going on. They can do a number of things to still dodge our efforts, but this is one step we can do to fix many of the things they can do to evade you. The requirements of this are: BASH, extended attributes support for your file system of choice, and root access to the machine you’re installing this on. This can be done with BSD-based machines as well, I might right a modified article on that (only difference is the filesystem command.)
Here we go:
- First step in this, is getting BASH to log each command execution immediately to the logfile. We can do this by adding “history -a” to the beginning of the PROMPT_COMMAND, which causes BASH to flush all of the logs to disk.Next, we need to keep the user from deleting their .bash_history, which is the default location for BASH’s logging.
- We’re using the Linux extended filesystem attributes here, we’re enabling the append-only option. It’s perfect for this:
chattr +a .bash_history
This command will allow appending of data to the file, you can’t open the file and edit and save it, you can’t delete it, can’t move it, unless you’re root and you remove that attribute first.
- Next, we need to set variables to read only status, so our users can’t change where the log is stored, how big the logfile can get, etc. So open up your /etc/profile, and add this to the bottom:
if [ "$BASH" ]; then PROMPT_COMMAND="history -a;$PROMPT_COMMAND"; readonly PROMPT_COMMAND readonly HISTSIZE readonly HISTFILE readonly HOME readonly HISTIGNORE readonly HISTCONTROL fi
Please not that this will cause some griping by those that like to customize their BASH environment, and you can talk with them in order to integrate this with their custom environment.
Any comments or questions about this setup are more than welcome, and any ideas on how to improve this are also welcome.
{ 6 comments… read them below or add one }
Glad to see you’re back at it and with a great post no less!
Thanks!!
IMHO modifications to your bash variables such as PROMPT_COMMAND are better handled in the /etc/bashrc. Moding the var there and setting the var RO was the only way to avoid errors in RH ES 5.4.
Otherwise, very nice complimentary sys mod for psacct. Well done.
Lonny
It looks like RHEL5 only references $HOME/.bashrc and /etc/bashrc when a user types bash at the prompt to open another shell so Lonny’s comment is further supported.
Does this account for the Bash trick where you leave a space at the beginning of a command to exempt it from logging to history?
That doesn’t actually work.