Friday, October 17, 2008

Accountability, At The Shell Level

Recently one of my projects is having some 'accountability' problem. A service daemon was down at 3+am and we had no clue in why it was not responsing to requests. From the 'last' command, we realised that someone login to the server but we were not able to trace what had been done by the user. BTW, this user owns that service daemon and he/she has all the rights to start/stop the service.

To avoid such incident to happen again, may be we can 'track' that user activity. In Solaris, I can turn on the C2 log as what I mentioned in my previous blog. However, that service daemon is running on Linux.

One quick fix is to tap on to the history capability of Bash shell. According to the man page of bash, these are the variables that we can set to control the command history

              If  this  variable  is  set and not null, its value is used as a
              format string for strftime(3) to print the time stamp associated
              with  each  history  entry displayed by the history builtin.  If
              this variable is set, time stamps are  written  to  the  history
              file so they may be preserved across shell sessions.
              The name of the file in which command history is saved (see HIS-
              TORY  below).   The default value is ~/.bash_history.  If unset,
              the command history is  not  saved  when  an  interactive  shell
              The maximum number of lines contained in the history file.  When
              this variable is assigned a value, the  history  file  is  trun-
              cated,  if necessary, by removing the oldest entries, to contain
              no more than that number of lines.  The default  value  is  500.
              The history file is also truncated to this size after writing it
              when an interactive shell exits.
              The number of commands to remember in the command  history  (see
              HISTORY below).  The default value is 500.

It is possible to set up the history file to be located in another location instead of the default $HOME/.bash_history. We can set that in /etc/profile like this where the file is unique for every login session based on time and process id.

[ -d $_HISTDIR ] || mkdir $_HISTDIR
HISTFILE="$_HISTDIR/`date '+%Y%m%d%H%M%S'`-$$"

The /history has to made with sticky bit on so that any user can create directory and own the content. Because of the HISTTIMEFORMAT, timestamp is also registered in the history file.

$ cat /history/`whoami`/20081017220353-16324
cd /history/chihung/
ls -l
more 20081017220337

Now we should get some accountability.



Blogger fiedlert said...

So another nice feature is atomic shell history

# Atomic history
export PROMPT_COMMAND='history -a'

This makes your history immediately available.

9:53 PM  

Post a Comment

<< Home