https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482568#M744576 Hi Daniel,<BR /><BR />Think we are looking for the same: Command Auditting <A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=805145" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=805145</A><BR /><BR />apearantly there is a possibility to recompile bash (don't know yet how) to log all interactive commands into a sepparate file. But then you have the support issue and of course as Andrew stated: legislation Thu, 10 Feb 2005 02:57:24 GMT TEC-HP 2005-02-10T02:57:24Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482563#M744566 the question is that the user doesn't see what you/he/she/it register in the .sh_history, and that single [root] could see this. Wed, 09 Feb 2005 17:26:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482563#M744566 Daniel Piedras_1 2005-02-09T17:26:39Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482564#M744568 Kind of a cryptic post. No question mark either.<BR /><BR />root can see any file the person logged on as root wants. Thats a fact that does not change. <BR /><BR />The umask parmeter controls default permissions when a new file is created. If you set that in /etc/profile when new users are created, permissions will be the way you want on .sh_history<BR /><BR />chmod 700 .sh_history so long as the user owns it.<BR /><BR />If root owns it, permissions need to be more flexible.<BR /><BR />SEP Wed, 09 Feb 2005 17:46:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482564#M744568 Steven E. Protter 2005-02-09T17:46:09Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482565#M744570 set it <BR />-w------ user:staff .sh_history<BR /><BR />but - this won't get You anywhere. The history works only as long as it is *readable*!<BR /><BR />but You can have a single history for every user - I think this is the way You should go.<BR /><BR />the variable is $HISTFILE and You could use /etc/profile to set it by e.g.<BR /><BR />WHO=`whoami`<BR />HISTFILE="~$WHO/.sh_history"<BR />HISTSIZE=2048<BR /><BR />touch and chown it for every user to come. Wed, 09 Feb 2005 17:49:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482565#M744570 Florian Heigl (new acc) 2005-02-09T17:49:43Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482566#M744572 Thanks<BR /><BR />Regards Wed, 09 Feb 2005 19:33:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482566#M744572 Daniel Piedras_1 2005-02-09T19:33:18Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482567#M744574 Do you mean that you want a new ".sh_history" file everytime that someone logs-in/su's to root? If this is the case simply add a few lines to your ".profile" to change the name of the ".sh_history" to do something like append the date and time, or the IP-Address or username of the user.<BR />You also add a "trap" to call a file such as ".kshexit" that moves or renames the file so it can be stored for auditing purposes.<BR /><BR />There are a lot of projects knocking around that are trying to create a kind of flight-recorder for root's actions, however there can be serious privacy issues surrounding this aproach, so make sure that it complies with your local legislation. Thu, 10 Feb 2005 02:27:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482567#M744574 Andrew Cowan 2005-02-10T02:27:14Z https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482568#M744576 Hi Daniel,<BR /><BR />Think we are looking for the same: Command Auditting <A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=805145" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=805145</A><BR /><BR />apearantly there is a possibility to recompile bash (don't know yet how) to log all interactive commands into a sepparate file. But then you have the support issue and of course as Andrew stated: legislation Thu, 10 Feb 2005 02:57:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-in-sh-history/m-p/3482568#M744576 TEC-HP 2005-02-10T02:57:24Z