I would like to modify the history settings for all users on the systems that I manage.
I would like it to contain the information from the connecting terminal like from who
sysadmin:/ # who
sysadmin pts/0 Mar 26 07:11 (sysadmin.doofus.local)
I currently modify my history in the following ways. I know that many of these settings have been covered here several times. However, I pulled this code from "Linux System Administration Recipes by: Juliet Kemp" long ago.
shopt -s histappend
PROMPT_COMMAND='history -n;history -a'
HISTSIZE=100000
HISTFILESIZE=100000
HISTTIMEFORMAT="%m/%d/%y %T "
shopt -s histappend
fixes problem when you have multiple terminals open information may be lost.
PROMPT_COMMAND='history -n;history -a'
extends to give real-time appending to history across multiple terminals.
HISTSIZE=100000
HISTFILESIZE=100000
extends the amount of history
retention
HISTTIMEFORMAT="%m/%d/%y %T
" prefaces each line of history with a time stamp
What you typically get with history
835 ls
836 cd ..
My modified current history
results
5853 03/26/12 07:16:49 ls
5854 03/26/12 07:16:50 ll
The return from history
I would like to see
5853 03/26/12 07:16:49 sysadmin.doofus.local ls
5854 03/26/12 07:16:50 sysadmin.doofus.local ll
001 03/26/12 05:11:29 demo_user.doofus.local cd
002 03/26/12 05:11:30 demo_user.doofus.local ll
I am not "married" to seeing the DNS
name. I would only want it there if it pulls it from who
or another location without the need to perform a lookup or query of any kind. I would be happy with IP address.
002 03/26/12 05:11:30 192.168.0.2 ll
Why? I manage several systems where a userid that several users of the same group share to do their daily tasks. This would allow me to correlate their real location & actual user within the organization to what they did in in the history.
I am aware that this is not optimal and would like to change it but, when you are on a ship the size of the a cruise liner you don't attempt to make hairpin turns. (Note: when you do the passengers try to toss you overboard)
Anyway, until I am able to migrate them to a better solution I would like to have this tracking ability.
Also, if you have any recommendations over what I am currently using for my history
modifications I would love to hear it.
Thanks,
Edit: 1
I do not want to run other programs or have to configure anything additional "within reason."
I want to add 0
overhead, if I do have to add it needs to be small.
I do trust my users I just would like (should something happen) to see which of the say 10 users that logged into the system with the same user:password did it. Or, it might not have been a user it could have been a forgotten cron
on a system that performs a connection as a user to do something. Or an application Ex: BMC Control-M
that connects over ssh
and runs tasks. It is not so much about finding "bad users" as being able to track it down with a minimum of effort.
Edit 2:
The systems are running SLES and RHEL
/proc
/dev
and users/home
directories. This adds overhead. Whereashistory
is already being recorded and their connection information is known to the system connecting IP etc... This information if not already available "statically" could be set that way or stored in a variable or file and input to thehistory
records and the performance hit would be very small or 0. – 2bc Mar 27 '12 at 17:09auditd
. I'm not sure if its logs will give you enough information. The difficulty of what you want is precisely why shared accounts are so decried. – Gilles 'SO- stop being evil' Mar 27 '12 at 21:49auditd
is a lot likeinotify
you have to tell it what to monitor for changes. Individual files, directories, etc.. I don't want to go to that level of configuration. In fact (I do) but essentially don't care so much. I havepuppet
to handle that stuff.auditd
comes with the additional load and time to setup as well. If an account is modifying something I still would like to look back in the history and see who or what is logging in and trying. – 2bc Mar 27 '12 at 22:32PROMPT_COMMAND=
just runs normal commands before the next prompt, couldn't you write a function calling sed/awk that works on the last line of the history file to add in the information. then call that function inPROMPT_COMMAND=
to append the data? it would be hackish but should do the job. – llua Apr 09 '12 at 15:16