Tracking User History in Linux

In Linux system users and their work are tracked through history. User may easily delete history and its file .bash_history. In order to preserve the history file and not letting it for user to delete it, following tweaking to bash can be set. It redirect each and every command typed in the command line to the syslog via logger command. Moreover, it also set history and history size to infinite limit that could not be cleared by the user.

Paste these in your /etc/profile file:

#Redirect the history to syslog.
 export PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'

#Prevent unset of histfile, /etc/profile
 export HISTFILE=~/.bash_history
 export HISTSIZE=10000

export HISTFILESIZE=999999
 export HISTTIMEFORMAT="%F %T:"
 # Don't let the users enter commands that are ignored in the history file
 HISTIGNORE=""
 HISTCONTROL=""
 readonly HISTFILE
 readonly PROMPT_COMMAND
 readonly HISTSIZE
 readonly HISTFILESIZE
 readonly HISTIGNORE
 readonly HISTCONTROL
 readonly HISTTIMEFORMAT

#overwrite the default homedirecotry of user
 sed -i  's/HISTFILESIZE=2000//g' ~/.bashrc
 sed -i  's/HISTSIZE=1000//g' ~/.bashrc
 sed -i  's/HISTCONTROL=ignoreboth//g' ~/.bashrc

(Note: You can use other Linux Auditing tools like snoopy, acct  etc).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: