A history file on Linux is one of the important files for the Audit Trail. But there are some complications with it if you use the Red Hat standards. Here i’m going to explain how a simple script can make your life much easier later.
Timestamps
First of all if you check a history file, you do not know at what date / time a user executed a specific command. So that last shutdown -r you see might be the reason you server went down. But it could be that, that is 3 weeks old (of course you could look it up with lastcomm).
Luckily it’s very easy to add timestamps to a history file, all you need to do is set the environment variable HISTTIMEFORMAT:
export HISTTIMEFORMAT='%F %T '
Root
One of the other problems is that users (especially operators / engineers) become root with sudo su. Once a user become root they all write to the same history file /root/.bash_history. If 2 users are logged in at the same time span it is impossible to tell which user did what.
To setup individually history files, even if a user does sudo su you can use the command logname.
With logname you can get a users login name, so even if user richard did sudo su - logname would still return richard. We can use this to change the history file to a user specific file.
export HISTFILE=${HOME}/.hist.sa.`logname`
Profile
The best place to place all these environment variables is somewhere in /etc/profile.d/. I called the file itself history.sh (/etc/profile.d/history.sh).
If you paste the two solutions together you will end up with a file like:
[root@srazzapp0008 ~]# cat /etc/profile.d/history.sh
# Define default history file and max history file size
if [ "`/usr/bin/whoami`" == "root" ]
then
export HISTFILE=${HOME}/.hist.sa.`logname`
else
export HISTFILE=${HOME}/.hist.`logname`
fi
HISTSIZE=5120
export HISTTIMEFORMAT='%F %T '
if [ "$(/usr/bin/logname)" != "root" ]; then
readonly HISTFILE HISTSIZE HISTTIMEFORMAT
fi
And if I look after a while on a system where this is configured you will see the following files:
[root@server8 ~]# ll ~/.hist.sa.* -rw------- 1 root root 2279 Dec 2 16:20 /root/.hist.sa.user1 -rw------- 1 root root 553 Oct 13 07:42 /root/.hist.sa.user2 -rw------- 1 root root 875 Sep 30 16:51 /root/.hist.sa.user3 -rw------- 1 root root 168 Dec 4 08:28 /root/.hist.sa.user4 -rw------- 1 root root 314 Nov 11 12:42 /root/.hist.sa.user5 -rw------- 1 root root 5469 Nov 23 20:36 /root/.hist.sa.user6 -rw------- 1 root root 1023 Nov 11 13:49 /root/.hist.sa.user7 -rw------- 1 root root 80 Nov 15 15:19 /root/.hist.sa.user8 [root@server8 ~]# ll /home/*/.hist.* -rw------- 1 user1 DomainUsers 8495 Dec 2 16:29 /home/user1/.hist.user1 -rw------- 1 user2 DomainUsers 20 Oct 13 07:42 /home/user2/.hist.user2 -rw------- 1 user3 DomainUsers 56 Sep 30 16:51 /home/user3/.hist.user3 -rw------- 1 user4 DomainUsers 647 Nov 11 14:01 /home/user4/.hist.user4 -rw------- 1 user5 DomainUsers 116 Dec 3 12:38 /home/user5/.hist.user5 -rw------- 1 user6 DomainUsers 210 Nov 11 13:39 /home/user6/.hist.user6 -rw------- 1 user7 DomainUsers 535 Nov 23 20:58 /home/user7/.hist.user7 -rw------- 1 user8 DomainUsers 92 Nov 11 13:49 /home/user8/.hist.user8 -rw------- 1 user9 DomainUsers 38 Nov 15 15:29 /home/user9/.hist.user9
And with the timestamps the history will look like:
[root@srazzapp0008 ~]# history
1 2011-12-03 09:14:43 halt -p
2 2011-12-04 08:18:03 cat /etc/profile.d/history.sh
3 2011-12-04 08:30:43 ll ~/.hist.sa.*
4 2011-12-04 08:34:37 ll /home/*/.hist.*
5 2011-12-04 08:41:20 history
Security
This works nice, but there are some big holes in the security. First of all, if a user can become root with sudo su he can undo the script temporary and alter the history files.
A normal user can remove/edit his/her history file. If they do it from command line it will leave traces in the new history file then. If they do it from i.e cron you will not find anything.
