HPE Community
Operating System - HP-UX
1757588 Members
2754 Online
108862 Solutions
New Discussion

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

 
Kennedy G. Doss
Regular Advisor

‎10-25-2011 07:53 AM

‎10-25-2011 07:53 AM

HOW to grep for "rm" or a specific command from users' .sh_history file?

Fellow SAs:

 

Can someone suggest an easy way to investigate which user issued a specific command from his/her history file. I have a list of 50 users and I want to detect who used either "rm" or "mv" command. Please forward any known "find" string or script that you may use for this kind of activity. Thanks in advance for your time and inputs.

 

Regards,

-Kennedy

0 Kudos
Reply
3 REPLIES 3
James R. Ferguson
Acclaimed Contributor

‎10-25-2011 08:10 AM

‎10-25-2011 08:10 AM

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

Hi Kennedy:

 

First, remember that any user who wishes to hide his/her activity only has to remove his/her '.sh_history' or truncate it by redirecting '/dev/null' into it.

 

That said, you could try (as root):

 

# find /home -name .sh_history -exec grep -E "mv|rm" {} +

 

This assumes that the user's default shell is '.sh_history' and that its path is in '/home'.  You could address this by examining '/etc/passwd' to obtain a list of users as well as their HOME login directory and shell.

 

Regards!

 

...JRF...

Reply
Kennedy G. Doss
Regular Advisor

‎10-25-2011 08:16 AM

‎10-25-2011 08:16 AM

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

James:

 

Thanks a billion.... I really appreciate it. I will try out your string/suggestion.

 

Other users, please keep it coming...

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎10-25-2011 09:29 PM

‎10-25-2011 09:29 PM

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

>Other users, please keep it coming...

 

There are not very many ways to do this.  Of course the user could rename his history file and put it elsewhere with:

   export HISTFILE=

 

You could grep his ~/.profile to check for that.  And of course there is a separate history for the scummy C shell,  And I suppose bash could use a different one,

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.