Bash – search bash history across all users on a server

bashcommand historylinuxusers

I want to see all bash commands that have been run on a Linux server across multiple user accounts. The specific distribution I'm using is CentOS 5.7. Is there a way to globally search .bash_history files on a server or would it be a more home-grown process of locate | cat | grep? (I shudder just typing that out).

Best Answer

Use getent to enumerate the home directories.

getent passwd |
cut -d : -f 6 |
sed 's:$:/.bash_history:' |
xargs -d '\n' grep -s -H -e "$pattern"

If your home directories are in a well-known location, it could be as simple as

grep -e "$pattern" /home/*/.bash_history

Of course, if a user uses a different shell or a different value of HISTFILE, this won't tell you much. Nor will this tell you about commands that weren't executed through a shell, or about aliases and functions and now-removed external commands that were in some user directory early in the user's $PATH. If what you want to know is what commands users have run, you need process accounting or some fancier auditing system; see Monitoring activity on my computer., How to check how long a process ran after it finished?.

Related Solutions

Bash – Search History Across Multiple Screen Windows

You can run history -a; history -c in all windows to save the history. And then history -r to refresh it.

To solve it more permanently add this to your .bashrc:

export PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"

Bash – Shell – Deal with multiple command history files

Shell history files are a poor way of auditing commands. They can trivially be modified or bypassed by users. They are only useful if you trust users not to deliberately or accidentally bypass the auditing mechanism. For example, commands started from a GUI, from an editor, etc. aren't recorded this way. There are many other ways a user could launch non-logged commands and even maintain plausible deniability that they were doing it for convenience or without realizing it and not as a deliberate attempt to bypass a security measure.

If you make the history files append-only (which requires running chattr +a as root on the history file), then everything that's been recorded stays recorded, but it's still easy to bypass the recording.

Rather than keep separate history files, you could keep a single history file and back it up regularly. That will retain the date at which commands were executed, but not the terminal.

If you need to have some confidence that the logs correspond to the commands that were executed, shell history files are the wrong tool. Use the audit daemon instead. Configure it to log all execve calls.

auditctl -A exit,always -S execve

See the following questions for more information:

Best Answer

Related Solutions

Bash – Search History Across Multiple Screen Windows

Bash – Shell – Deal with multiple command history files

Related Question