Shell - Deal with multiple command history files
Solution 1
Shell history files are a poor way of auditing commands. They can trivially be modified or bypassed by users. They are only useful if you trust users not to deliberately or accidentally bypass the auditing mechanism. For example, commands started from a GUI, from an editor, etc. aren't recorded this way. There are many other ways a user could launch non-logged commands and even maintain plausible deniability that they were doing it for convenience or without realizing it and not as a deliberate attempt to bypass a security measure.
If you make the history files append-only (which requires running chattr +a
as root on the history file), then everything that's been recorded stays recorded, but it's still easy to bypass the recording.
Rather than keep separate history files, you could keep a single history file and back it up regularly. That will retain the date at which commands were executed, but not the terminal.
If you need to have some confidence that the logs correspond to the commands that were executed, shell history files are the wrong tool. Use the audit daemon instead. Configure it to log all execve
calls.
auditctl -A exit,always -S execve
See the following questions for more information:
- Log every invocation of every SUID program?
- Process Monitor equivalent for Linux?
- Can I send auditd logs to another computer?
Solution 2
I'm not 100% clear on what your asking, but here's how I get separate history for each session. It's basically named according to host and pty. This is for bash.
# Unique history file per shell session.
HISTSIZE=300
HISTFILE=$HOME/.bash_hist_${HOSTNAME/.*/}_$(basename $(tty))
SAVEHIST=500
export HISTCONTROL=ignoredups
This is in a ~/.bashrc
file. I don't understand what you mean by you can't change HISTFILE.
One drawback is you can't predict what session history you will get. But to audit you can grep the full set:
grep something ~/.bash_hist_*
But you do keep the context of a session in a separate file.
Related videos on Youtube
tmow
Updated on September 18, 2022Comments
-
tmow over 1 year
Where I work, for security and auditing purpose, we have to keep one history file for each session (user, date, terminal, etc in the file name).
Obviously, the
HISTFILE
variable, is set to read only (readonly HISTFILE
), therefore a normal user cannot set a different history file (either not root, without changing/etc/profile
).This is what we have in the
/etc/profile
:EXTENDED_HISTORY=ON readonly EXTENDED_HISTORY export EXTENDED_HISTORY HISTFILE=$HOME/.history/`date +%y%m%d.%H%M%S`.${WHO_USER:-user}.${WHO_TERMINAL:-term}.${SSH_PORT:-port}.${MY_PID:-pid} readonly HISTFILE export HISTFILE
The big issue is that we cannot search for old commands, except doing a grep on the older files.
Do you please have a simple workaround or even a better solution to keep the auditing and still be able to share the command history across multiple sessions?
We use ksh and bash.
-
tmow over 11 yearsThanks for your answer, I'm going to update the question so that it's more clear
-
tmow over 11 yearsThanks @Gilles I'm agree with you that this is not the best way to do it, but our system administrators won't use other mechanisms beside the one imposed by the compliance rules. Using other solutions means to fight with the compliance officers to ask for a deviation of the standard compliance rules (it's madness). What I'm looking for it's more a script or a "super" alias that can help us to workaround the limitation of the history setup in this way. Indeed I'll propose the auditing as you proposed and let's see...
-
Dhiraj over 3 yearsThis was helpful to get different histories for each session. I had to put this under ~/.zshrc as I am using zsh