topic Re: Clear .sh_history when log off in Operating System - HP-UX

Clear .sh_history when log off

tom quach_1 — Tue, 23 Jun 2009 15:16:10 GMT

Hi All,

I would like to exec a script when i log off putty, telnet, xterm session to clear out .sh_history.
Please tell me where can i put this script.
Regards,
Tom

Re: Clear .sh_history when log off

Mel Burslan — Tue, 23 Jun 2009 15:26:08 GMT

trap "cat /dev/null >.sh_history" 0 1 3 15

place this in users' .profile or if you want this for everybody, place it in /etc/profile

hope this helps

Re: Clear .sh_history when log off

Dennis Handly — Tue, 23 Jun 2009 15:28:22 GMT

Do you have a separate history file for each session, if multiple logins?
Mel's solution may blast it for each script you run?

Re: Clear .sh_history when log off

tom quach_1 — Tue, 23 Jun 2009 16:58:38 GMT

Thank you Mel & Dennis for your helps.

i only have one .sh_history
Mel- this line works when i add it to the bottom of the .profile
Question:
Can i hide this line from .profile
when i move this line up within .profile it does not seem to work.
Reason: do not want user to see it.

Regards,
Tom

Re: Clear .sh_history when log off

James R. Ferguson — Tue, 23 Jun 2009 17:19:18 GMT

Hi Tom:

Did you do this in the ${HOME}/.profile or in '/etc/profile'?

If you did this in '/etc/profile' you need to put it at the end since there is (by default) a 'trap' for the signals in question already there. This would override Mel's suggestion if you don't put his last.

Security by obsurity is weak. Any user can list ('cat', etc.) '/etc/profile' to see what you have done.

Regards!

...JRF...

Re: Clear .sh_history when log off

Steven E. Protter — Tue, 23 Jun 2009 18:04:51 GMT

Shalom Tom,

The reason stuff is kept in these files is so there is a record of what was done when.

This is a basic security measure and helps you catch your own mistakes.

Doing what you propose probably violates security audit parameters and is not a good idea.

Modify the ideas above to at least archive this information so its available when you need it.

SEP

Re: Clear .sh_history when log off

James R. Ferguson — Tue, 23 Jun 2009 21:36:07 GMT

Hi (again):

> SEP: The reason stuff is kept in these files is so there is a record of what was done when.
This is a basic security measure and helps you catch your own mistakes. Doing what you propose probably violates security audit parameters and is not a good idea.

I'm sorry to disagree, but I do! This is _no_ audit if you consider that the owner of the history file has every right to truncate the file before he/she logs off. In fact, I routinely do this when I have issued a 'shutdown' command as root. I don't want to be able to inadvertently recall the command history looking for a command that lay next to the 'shutdown' and stupidly re-trigger that shutdown again by mistake!

Regards!

...JRF...

Re: Clear .sh_history when log off

Mel Burslan — Wed, 24 Jun 2009 00:13:40 GMT

I have to agree with JRF on this one. As the .sh_history needs to be user writable, there is no way to trust that data for any audit purpose. If you make it unwritable, then you lose the benefit of having a shell history.

If the purpose is auditing users in the sense of what they have done, then an external solution needs to be involved, like power broker, where you can log every key stroke of the user onto an external server, unreachable by the end user. Then it is a valid auditable log.

Re: Clear .sh_history when log off

Dennis Handly — Wed, 24 Jun 2009 00:54:55 GMT

If you don't want to save your history, don't define HISTFILE, or unset it.
As long as you aren't root (or you use ksh), you still will have a history.

In regards to Mel's solution, that will blast it for every shell script you run.

You would need to do:
shell=$(UNIX95=EXTENDED_PS ps -p $$ -ocomm=)
if [[ "$shell" = -* ]]; then
echo "Login shell: $shell"
> $HISTFILE
fi

Or using it in a trap command:
trap 'shell=$(UNIX95=EXTENDED_PS ps -p $$ -ocomm=)
if [[ "$shell" = -* ]]; then
#echo "Login shell: $shell"
> $HISTFILE
fi' 0 1 3 15

Re: Clear .sh_history when log off

tom quach_1 — Wed, 24 Jun 2009 15:29:50 GMT

Thank you all for your info.
Regards,
Tom