Centralised History files

September 29, 2011

If you want to centralise  the .sh_history files, and also want to see the commands someone did after he switched to root ( su – root ) , with a timestamp in the name of the file, you can place this in the /etc/profile:

HISTFILE=/tmp/.sh_history.$USER.$(who am i |awk '{print $1}').$(date +%y%m%d_%H%M%S).log

export HISTFILE

When someone logs in with username dcroroo1 , the file looks like:
 
-rw——-    1 dcroroo1 tcc              12 Sep 29 13:56 .sh_history.dcroroo1.dcroroo1.110929_135653.log
 
In this file his commands ( without the command output ) will be logged.
 
When this user does a su to root , a new file is created with the name:
 
-rw——-    1 root     system           22 Sep 29 13:58 .sh_history.root.dcroroo1.110929_135815.log
 
In this file the commands will be logged that user did as the root user.
 
 

1 Comment for this entry

Leave a Reply