HPE Community
Operating System - HP-UX
1758057 Members
2687 Online
108867 Solutions
New Discussion юеВ

How To Timestamp the KORN Shell History File

 
SOLVED
Go to solution
Hakki Aydin Ucar
Honored Contributor

тАО03-11-2011 07:32 AM

тАО03-11-2011 07:32 AM

Re: How To Timestamp the KORN Shell History File

Bill' s addendum looks good.

Micheal;
the only thing I noticed that after exit root, history was being cleaned.
But you keep records under /tmp already,
so the second step I wonder if time stamp can be in same line with the command we issued ?
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО03-11-2011 08:22 AM

тАО03-11-2011 08:22 AM

Re: How To Timestamp the KORN Shell History File

Hakki:

"...regarding the only thing after exit root has been cleaned..." - This has been the latest security recommendation unless you've got auditors like I have and they want time stamps on every root command.

Anyway Hakki, this is why I put this command in:

trap "echo 'logout root'" 0 # what to do on exit.

...you didn't read the whole posting.

As for having the time stamp on the same line as the command as well as the line number, i.e.,

2Wed Mar 9 13:50:29 2011 ps
3Wed Mar 9 13:50:30 2011 exit

....is the BASH / HISTTIMEFORMAT method that I was looking to reproduce for auditing purposes and have not been able to.

But if you do please let me know. Thanks!
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-11-2011 10:25 AM

тАО03-11-2011 10:25 AM

Re: How To Timestamp the KORN Shell History File

Shalom,

No points, not fishing.

I tried it out in the lab. The Bill Hassell modification is working.

I'd say as far as figuring out who did what to a system when, this could be useful, though obviously it increases the size of logs.

We probably have some collection procedure in place and I'm worried some kind of SOX report might get unhappy with this hack.

Still, its a great hack.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Shibin_2
Honored Contributor

тАО03-15-2011 08:21 PM

тАО03-15-2011 08:21 PM

Re: How To Timestamp the KORN Shell History File

AIX Korn shell trapped me.

It's giving me the same error

"DEBUG : Max recursion reached it's limit, exiting"

Unable to login. I tried different signals, but no time stamp records. Could it be related to any kernel parameter ? Any AIX gurus here ?
Regards
Shibin
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО03-15-2011 10:51 PM - last edited on тАО04-12-2017 05:02 AM by

тАО03-15-2011 10:51 PM - last edited on тАО04-12-2017 05:02 AM by

Re: How To Timestamp the KORN Shell History File

>Michael: But if you do please let me know. Thanks!

Michael, I couldn't go further but I found that ,are you aware of the parameter EXTENDED_HISTORY in korn shell, I coukdn't find in my environment but if you check this out:

To start recording the date and time that each command is executed, set the EXTENDED_HISTORY environment variable to ON:
export EXTENDED_HISTORY=ON
The CUT (Coordinated Universal Time) timestamp will be appended
to each line of the ~/.sh_history file.

[broken link removed on <4/12/2017> by Mod] 

0 Kudos
Reply
Shibin_2
Honored Contributor

тАО03-15-2011 11:24 PM

тАО03-15-2011 11:24 PM

Re: How To Timestamp the KORN Shell History File

Hakki,

I tested it in my AIX and HP-UX servers.

HP-UX .. no luck. It's not recording any time stamps.

But AIX, it records, but very difficult to identify what is the exact date and time (see below). :)

ls -la #├Г #1300259962#├Г #
tail .sh_history #├Г #1300259975#├Г #

HP-UX 11.23 PA-RISC
AIX P570 6.1

I think, it is depends on the ksh version we use.

Regards
Shibin
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО05-03-2011 04:40 AM

тАО05-03-2011 04:40 AM

Re: How To Timestamp the KORN Shell History File

if you are not consider security issue ,here is my workaround solution, at the end of the .profile ;

# cat /.profile
...
## timestamp to history file ..
set -u # error if undefined variable.
trap 'date "+%c" | read -s' debug # timestamp .sh_history


# cat /tmp/hist_reader
#!/bin/sh
# reader for ksh history from current with timestamp

ADDRESS="$HOME/.sh_history"
cat $ADDRESS >> /tmp/temporal
sed 'N;s/\n/\ : /' < /tmp/temporal

Result:
# /tmp/hist_reader
Tue May 3 15:32:43 2011 : bdf
Tue May 3 15:32:45 2011 : Bpsm
Tue May 3 15:32:48 2011 : pwd
Tue May 3 15:32:52 2011 : history
Tue May 3 15:32:55 2011 : ./
Tue May 3 15:33:05 2011 : ls
Tue May 3 15:33:25 2011 : cat /.profile
Tue May 3 15:36:37 2011 : pwd
Tue May 3 15:37:47 2011 : ls
Tue May 3 15:38:31 2011 : uptime
Tue May 3 15:38:38 2011 : swapinfo

0 Kudos
Reply
Alzhy
Honored Contributor

тАО05-19-2011 05:46 AM

тАО05-19-2011 05:46 AM

Re: How To Timestamp the KORN Shell History File

Wouldn't eksh (enhanced korn shell) also do the same with the added advantage of being able to capture to a syslog server or some WORM based storage?
Hakuna Matata.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО05-19-2011 06:15 AM

тАО05-19-2011 06:15 AM

Re: How To Timestamp the KORN Shell History File

> Wouldn't eksh (enhanced korn shell) also do the same ...

Sure. eksh is actually found on all HP-UX systems (optional on 11.31) but is named /usr/dt/bin/dtksh, also known as Korn shell version 1993. However, there will be a few incompatibilities, especially with poorly written scripts that do not have an interpreter line (that is #!/usr/bin/ksh or #!/bin/sh). ksh93 has a lot of nice features such as real (not just integer) numbers. Unfortunately, HP does not supply a general ksh93 man page but only documents the ksh93 Xwindow extensions. Here is a good reference:

www.kornshell.com/doc/ksh93.html


Bill Hassell, sysadmin
0 Kudos
Reply
Shibin_2
Honored Contributor

тАО05-24-2011 11:15 PM

тАО05-24-2011 11:15 PM

Re: How To Timestamp the KORN Shell History File

Found solution for AIX as well :)

All you have to do is, put the following line in .profile ( for global it can be in /etc/profile ).

EXTENDED_HISTORY=ON

To read the exact date & time of the command executed of a user├в s history file, use the following option.

env HISTFILE= /usr/bin/fc -t
Regards
Shibin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.