I am working on a script that will help the sysadmins on our team monitor what's going on in other terminals by other logged in users.
One thing I'm stuck on right now is how to view what commands have been typed. I realize that the history doesn't get saved until the user exits or types history -a, but there has to be a way to view what's currently in the history, even if it's stored in memory somewhere.
Is it possibly saved somewhere in /proc/${pid_of_users_bash}? I tried to type a command echoing a unique string (EG: echo "foobarbaz", then greping for foobarbaz through any flat files within the associated /proc/PID directory, but no luck.
If anyone has a solution that doesn't involve setting thePROMPT_COMMAND or setting the histappend (like these), that would be greatly appreciated.
Best Answer
Bash does not provide information you want. I think you want avoid setting
COMMAND_PROMPTandhistappendbecause users may easily overwrites them. But users may completely disable storing commands to history when they setHISTCONTROL="ignorespace"and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.Ad hoc monitoring a single session can be done over
strace. Search for the PID of the user's bash and then callstrace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.Most of linux distribution provides
auditdpackage. It monitors and audits system components so administrator may get information about system activities in past. A PAM modulepam_tty_auditcooperates withauditdand enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use thepam_tty_audit.