Bash – Shell – Deal with multiple command history files

bashcommand historyksh

Where I work, for security and auditing purpose, we have to keep one history file for each session (user, date, terminal, etc in the file name).

Obviously, the HISTFILE variable, is set to read only (readonly HISTFILE), therefore a normal user cannot set a different history file (either not root, without changing /etc/profile).

This is what we have in the /etc/profile:

EXTENDED_HISTORY=ON
readonly EXTENDED_HISTORY
export EXTENDED_HISTORY
HISTFILE=$HOME/.history/`date +%y%m%d.%H%M%S`.${WHO_USER:-user}.${WHO_TERMINAL:-term}.${SSH_PORT:-port}.${MY_PID:-pid}
readonly HISTFILE
export HISTFILE

The big issue is that we cannot search for old commands, except doing a grep on the older files.

Do you please have a simple workaround or even a better solution to keep the auditing and still be able to share the command history across multiple sessions?

We use ksh and bash.

Best Answer

Shell history files are a poor way of auditing commands. They can trivially be modified or bypassed by users. They are only useful if you trust users not to deliberately or accidentally bypass the auditing mechanism. For example, commands started from a GUI, from an editor, etc. aren't recorded this way. There are many other ways a user could launch non-logged commands and even maintain plausible deniability that they were doing it for convenience or without realizing it and not as a deliberate attempt to bypass a security measure.

If you make the history files append-only (which requires running chattr +a as root on the history file), then everything that's been recorded stays recorded, but it's still easy to bypass the recording.

Rather than keep separate history files, you could keep a single history file and back it up regularly. That will retain the date at which commands were executed, but not the terminal.

If you need to have some confidence that the logs correspond to the commands that were executed, shell history files are the wrong tool. Use the audit daemon instead. Configure it to log all execve calls.

auditctl -A exit,always -S execve

See the following questions for more information:

Related Solutions

Bash – Programmatically Add Entries to Bash History with Proper Timestamps

I posted this question on the help-bash mailing list and got a response from Chet Ramey, the maintainer of Bash.

He suggested adding either of the following before the history -s command:

set -H    # aka set -o histexpand

histchars='!^#'

I tried each of them and they both work. The reason is that the history comment character which defaults to # hasn't been set at the point that the profile code is running and so is null (\0).

Here's my working file:

HISTTIMEFORMAT='%c : '
histchars='!^#'
set -o history
history -s "# some text as a marker"

Bash Command History – Enable Timestamps in Bash History

Yes, put this in ~/.bashrc :

export HISTTIMEFORMAT='%F %T '

Then, run the following commands :

. ~/.bashrc
history

It will look like this :

 (...)
 5200  2012-09-30 23:55:37 find -printf '%Ts %f\n'
 5201  2012-10-01 00:00:58 ls
 5202  2012-10-01 00:03:45 cd
 (...)

Explanations of the output :

first col is the unique id
second one is the date, third is the hour
latest is your command line

Best Answer

Related Solutions

Bash – Programmatically Add Entries to Bash History with Proper Timestamps

Bash Command History – Enable Timestamps in Bash History

Related Question