dufault.info

Ramblings of a phone weenie, Linux sysadmin, and other things geeky

16  02 2009

Logging all BASH commands to history, and keeping people from deleting/emptying it

Usually on Linux server, we have issues with logging the commands that our users are running, especially with BASH. BASH doesn’t log the commands as soon as they’re executed, and the user can do a number of simple things to prevent the log from ever being written to the disk, preventing you from knowing what’s going on. They can do a number of things to still dodge our efforts, but this is one step we can do to fix many of the things they can do to evade you. The requirements of this are: BASH, extended attributes support for your file system of choice, and root access to the machine you’re installing this on. This can be done with BSD-based machines as well, I might right a modified article on that (only difference is the filesystem command.)

Here we go:

  1. First step in this, is getting BASH to log each command execution immediately to the logfile. We can do this by adding “history -a” to the beginning of the PROMPT_COMMAND, which causes BASH to flush all of the logs to disk.Next, we need to keep the user from deleting their .bash_history, which is the default location for BASH’s logging.
  2. We’re using the Linux extended filesystem attributes here, we’re enabling the append-only option.  It’s perfect for this: 
    chattr +a .bash_history

    This command will allow appending of data to the file, you can’t open the file and edit and save it, you can’t delete it, can’t move it, unless you’re root and you remove that attribute first.

  3. Next, we need to set variables to read only status, so our users can’t change where the log is stored, how big the logfile can get, etc. So open up your /etc/profile, and add this to the bottom: 
    if [ "$BASH" ]; then
	PROMPT_COMMAND="history -a;$PROMPT_COMMAND";
	readonly PROMPT_COMMAND
	readonly HISTSIZE
	readonly HISTFILE
	readonly HOME
	readonly HISTIGNORE
	readonly HISTCONTROL
fi

Please not that this will cause some griping by those that like to customize their BASH environment, and you can talk with them in order to integrate this with their custom environment.

Any comments or questions about this setup are more than welcome, and any ideas on how to improve this are also welcome.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Mixx
  • StumbleUpon
  • Technorati

BASH, CentOS, Gentoo, Linux, Redhat, Shell, Ubuntu, sh

4 Responses to “Logging all BASH commands to history, and keeping people from deleting/emptying it”

  1. Andrew Johnson, Said:
    on February 17th, 2009 at 2:16 pm


    Glad to see you’re back at it and with a great post no less!

  2. Awesome article, Said:
    on September 6th, 2009 at 10:05 pm


    Thanks!!

  3. Lonny, Said:
    on December 30th, 2009 at 11:49 am


    IMHO modifications to your bash variables such as PROMPT_COMMAND are better handled in the /etc/bashrc. Moding the var there and setting the var RO was the only way to avoid errors in RH ES 5.4.

    Otherwise, very nice complimentary sys mod for psacct. Well done.

    Lonny

  4. Gary, Said:
    on February 11th, 2010 at 9:18 am


    It looks like RHEL5 only references $HOME/.bashrc and /etc/bashrc when a user types bash at the prompt to open another shell so Lonny’s comment is further supported.

Leave a Reply

« »