Languages and Scripting
Showing results for 
Search instead for 
Do you mean 

HOW to grep for "rm" or a specific command from users' .sh_history file?

Regular Advisor

HOW to grep for "rm" or a specific command from users' .sh_history file?

Fellow SAs:

 

Can someone suggest an easy way to investigate which user issued a specific command from his/her history file. I have a list of 50 users and I want to detect who used either "rm" or "mv" command. Please forward any known "find" string or script that you may use for this kind of activity. Thanks in advance for your time and inputs.

 

Regards,

-Kennedy

3 REPLIES
Acclaimed Contributor Acclaimed Contributor

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

Hi Kennedy:

 

First, remember that any user who wishes to hide his/her activity only has to remove his/her '.sh_history' or truncate it by redirecting '/dev/null' into it.

 

That said, you could try (as root):

 

# find /home -name .sh_history -exec grep -E "mv|rm" {} +

 

This assumes that the user's default shell is '.sh_history' and that its path is in '/home'.  You could address this by examining '/etc/passwd' to obtain a list of users as well as their HOME login directory and shell.

 

Regards!

 

...JRF...

Regular Advisor

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

James:

 

Thanks a billion.... I really appreciate it. I will try out your string/suggestion.

 

Other users, please keep it coming...

Acclaimed Contributor Acclaimed Contributor

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

>Other users, please keep it coming...

 

There are not very many ways to do this.  Of course the user could rename his history file and put it elsewhere with:

   export HISTFILE=

 

You could grep his ~/.profile to check for that.  And of course there is a separate history for the scummy C shell,  And I suppose bash could use a different one,