Tracking people’s history

FROM http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

4.10.9 Hand-made user auditing

If you are paranoid you might want to add a system-wide /etc/profile
that sets the environment in a way such that they cannot remove audit
capabilities from the shell (commands are dumped to $HISTFILE. The
/etc/profile could be set as follows:

       HISTFILE=~/.bash_history
       HISTSIZE=100000000000000000
       HISTFILESIZE=10000000000000000
       readonly HISTFILE
       readonly HISTSIZE
       readonly HISTFILESIZE
       export HISTFILE HISTSIZE HISTFILESIZE
  • Breeze

    Well that’s a good idea, but:
    The user owns his “~/.bashrc” or has to have at least write access to append to the history.
    So the user can easily avoid auditing by removing a few commands from in between the history, and you’d not even know, because the file changes anyway.

    And “HISTCONTROL=ignorespace” is maybe set also, so a command beginning with a space won’t show up in the history at all.

    But still a good idea, if the users don’t know where to look or are too lazy ;)

    - Breeze