AIX, Red Hat, Security, System Admin↑ System-wide separated shell history files for each user and session
Here's how you can set up your /etc/profile in order to create a separate shell history file for each user and each login session. This is very useful when you need to know who exactly ran a specific command at a point in time. For Red Hat Linux, put the updates in either /etc/profile or /etc/bashrc.
Put this in /etc/profile on all servers:
# HISTFILE
# execute only if interactive
if [ -t 0 -a "${SHELL}" != "/bin/bsh" ]
then
d=`date "+%H%M.%m%d%y"`
t=`tty | cut -c6-`
u=`who am i | awk '{print $1}'`
w=`who -ms | awk '{print $NF}' | sed "s/(//g" | sed "s/)//g"`
y=`tty | cut -c6- | sed "s/\//-/g"`
mkdir $HOME/.history.$USER 2>/dev/null
export HISTFILE=$HOME/.history.$USER/.sh_history.$USER.$u.$w.$y.$d
find $HOME/.history.$USER/.s* -type f -ctime +91 -exec rm {} \; 2>/dev/null
H=`uname -n | cut -f1 -d'.'`
mywhoami=`whoami`
if [ ${mywhoami} = "root" ] ; then
PS1='${USER}@(${H}) ${PWD##/*/} # '
else
PS1='${USER}@(${H}) ${PWD##/*/} $ '
fi
fi
# Time out after 60 minutes
# Use readonly if you don't want users to be able to change it.
# readonly TMOUT=3600
TMOUT=3600
export TMOUT
When using ksh, put this in /etc/environment, to turn on time stamped history files:
# Added for extended shell history EXTENDED_HISTORY=ON
When using bash, put this in /etc/bashrc, to enable time-stamped output when running the "history" command:
HISTTIMEFORMAT='%F %T '; export HISTTIMEFORMAT
This way, *every* user on the system will have a separate shell history in the .history directory of their home directory. Each shell history file name shows you which account was used to login, which account was switched to, on which tty this happened, and at what date and time this happened.
Shell history files are also time-stamped internally. For AIX, you can run "fc -t" to show the shell history time-stamped. For Red Hat, you can run: "history". Old shell history files are cleaned up after 3 months, because of the find command in the example above. Plus, user accounts will log out automatically after 60 minutes (3600 seconds) of inactivity, by setting the TMOUT variable to 3600. You can avoid running into a time-out by simply typing "read" or "\" followed by ENTER on the command line, or by adding "TMOUT=0" to a user's .profile, which essentially disables the time-out for that particular user.
One issue that you now may run into on AIX, is that because a separate history file is created for each login session, that it will become difficult to run "fc -t", because the fc command will only list the commands from the current session, and not those written to a different history file. To overcome this issue, you can set the HISTFILE variable to the file you want to run "fc -t" for:
# export HISTFILE=.sh_history.root.user.10.190.41.116.pts-4.1706.120210
Then, to list all the commands for this history file, make sure you start a new shell and run the "fc -t" command:
# ksh "fc -t -10"
This will list the last 10 commands for that history file.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word