Shell – Deal with multiple command history files

Where I work, for security and auditing purpose, we have to keep one history file for each session (user, date, terminal, etc in the file name).

Obviously, the HISTFILE variable, is set to read only (readonly HISTFILE), therefore a normal user cannot set a different history file (either not root, without changing /etc/profile).

This is what we have in the /etc/profile:

HISTFILE=$HOME/.history/`date +%y%m%d.%H%M%S`.${WHO_USER:-user}.${WHO_TERMINAL:-term}.${SSH_PORT:-port}.${MY_PID:-pid}
readonly HISTFILE

The big issue is that we cannot search for old commands, except doing a grep on the older files.

Do you please have a simple workaround or even a better solution to keep the auditing and still be able to share the command history across multiple sessions?

We use ksh and bash.

Asked By: tmow


I’m not 100% clear on what your asking, but here’s how I get separate history for each session. It’s basically named according to host and pty. This is for bash.

# Unique history file per shell session.
HISTFILE=$HOME/.bash_hist_${HOSTNAME/.*/}_$(basename $(tty))
export HISTCONTROL=ignoredups

This is in a ~/.bashrc file. I don’t understand what you mean by you can’t change HISTFILE.

One drawback is you can’t predict what session history you will get. But to audit you can grep the full set:

grep something ~/.bash_hist_*

But you do keep the context of a session in a separate file.

Answered By: Keith

Shell history files are a poor way of auditing commands. They can trivially be modified or bypassed by users. They are only useful if you trust users not to deliberately or accidentally bypass the auditing mechanism. For example, commands started from a GUI, from an editor, etc. aren’t recorded this way. There are many other ways a user could launch non-logged commands and even maintain plausible deniability that they were doing it for convenience or without realizing it and not as a deliberate attempt to bypass a security measure.

If you make the history files append-only (which requires running chattr +a as root on the history file), then everything that’s been recorded stays recorded, but it’s still easy to bypass the recording.

Rather than keep separate history files, you could keep a single history file and back it up regularly. That will retain the date at which commands were executed, but not the terminal.

If you need to have some confidence that the logs correspond to the commands that were executed, shell history files are the wrong tool. Use the audit daemon instead. Configure it to log all execve calls.

auditctl -A exit,always -S execve

See the following questions for more information:

Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.