Capture commands ran by a user

chindi · ‎07-17-2013

Hi ,

Am using following entry in my /etc/profile to capture commands ran by a users in our 11iv2 servers:

export LOGINNAME=`who am i | awk '{print $1}'`
export HISTFILE="/var/tmp/hist_`date +%y%m%d.%H%M%S`.${LOGINNAME}.$LOGNAME.$$"

My question is all users are able to see this setting when they log in using "env" variable ,

is there any way such that the user will never come to know as to were am i logging his/her history ???

Dennis Handly · ‎07-17-2013

>is there any way such that the user will never know as to were am I logging his/her history?

No. The history mechanism is not meant to be the security police.

If you unset it at the end of /etc/profile, then the user could change it and start a new shell.

chindi · ‎07-17-2013

Ok.

Can i move the entries to a location which has root access only ?

Dennis Handly · ‎07-17-2013

>Can I move the entries to a location which has root access only?

No, the user would no longer be able to write to it. Nor read it to look at his history.

chindi · ‎07-17-2013

We do not want to enable auditing which will create large junk files.

Instead do we have option of rotating those log files ?

Can i copy it instead of moving it?

Dennis Handly · ‎07-17-2013

>Instead do we have option of rotating those log files?

Are you now talking about auditing or about the history file?

chindi · ‎07-17-2013

Hi Dennis ,

Rotating am asking for audit files.

And if we can copy history , that would be really great .

chindi · ‎07-18-2013

Hi Guys,

Awating reply .

Re: Capture commands ran by a user