Archiving Korn Shell History Files
John Spurgeon and Ed Schaefer
Shell history gives users the ability to manipulate commands previously entered
at the command line. It is not an auditing tool. Nevertheless, systems administrators
often resort to looking at shell history files to trace user activity. When
used as an audit utility, shell history has serious drawbacks. For example:
- Once a shell history file contains the maximum number of commands, old
commands are removed as new ones are entered.
- History files may be modified by a user who is trying to cover his tracks.
- Timestamps are not available to determine when a command was executed.
- History files are typically stored in the user's home directories making
it difficult to process the information.
- It can be tricky to tell who executed certain commands if someone used
su to become another user, such as root.
In this column, we present a collection of shell scripts that attempts to
mitigate some of these drawbacks. You shouldn't rely on our solution to catch
users bent on mischief. Tools like Solaris's Basic Security Module (BSM) are
better suited for that type of monitoring. However, you might find that our
scripts significantly increase the value of your shell history files. Also,
the resulting information might be easier to work with than the massive amounts
of data that can be generated by a system like BSM.
Program Design
The Korn shell provides the ability to retrieve a user's command history,
which is stored in a file identified by the HISTFILE environment variable. The
number of commands stored in this file is defined by the value of the variable
HISTSIZE. Other shells may provide similar shell history capabilities, but our
focus is limited to the Korn shell.
|
