Linux history command not being captured when included in a script

Hi Team,

  I need a script that captures the contents of the linux command line history file, for auditing purposes.  I noticed that when i use the history command in a script that outputs commands to a file, it doesn't work.  My script looks like this:

[root@test ~]# cat 2baseline.sh 
#!/bin/bash
BASEFILE=BASELINE_$(date '+%d_%b_%Y_%H_%M_%S').txt
exec >> $BASEFILE 2>&1
set -x
date
who
history 100
cat /etc/fstab
tail -n 1000 /var/log/messages 

Open in new window


All the commands output fine, except the history command.  Can someone suggest on alternative way for the history file to be copied to a file?

thanks very much.
rleyba828Asked:
Who is Participating?
 
Zephyr ICTCloud ArchitectCommented:
Running the history command in an non-interactive shell, as in a script, will not work, you'll have to use a file that is keeping your history... You can then read out that file in your script for example.

This might get you started:
#!/bin/bash
HISTORY=~/.bash_my_history   # Or equal place where bash history file is located
set -o history     # enable history
history | grep [i]something[/i]

Open in new window


If you have bash 4.0 however, you can use the -i (interactive) flag, which should allow you to do what you are looking for.

#!/bin/bash -i
history | grep [i]something[/i]

Open in new window

0
 
ozoCommented:
If you want to capture the history of the parent shell that invoked the command, rather than the history of the child shell that the command invoked, the history command would need to be run in parent
you can do this by calling the command with
source 2baseline.sh
or
. 2baseline.sh
instead of
2baseline.sh
or
bash 2baseline.sh
but you probably don't want to exec inside a source, so change that to
#!/bin/bash
BASEFILE=BASELINE_$(date '+%d_%b_%Y_%H_%M_%S').txt
o=`set +o`
set -x
(
date
who
history 100
cat /etc/fstab
tail -n 1000 /var/log/messages
) >> $BASEFILE 2>&1
${o#${o%set*xtrace*}}
0
 
egarciatCommented:
What about:

if [ -n "$HISTFILE" -a -f "$HISTFILE" ]; then
   tail -n 100 $HISTFILE
fi

Open in new window


Be sure to get HISTFILE var content before clearing the environment.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ozoCommented:
That could still require history -a in the parent if you want HISTFILE to be current
0
 
Docteur_ZCommented:
Auditing is better suited by OS itself.
Use pam_tty_audit library (see : http://poorlydocumented.com/2014/05/enabling-pam_tty_audit-on-rhel-centos-or-scientific-linux/)
0
 
gheistCommented:
You can enable process accounting (usually psacct package)
Or snoop on commands ran (snoopy package)
Or record everything they do (script)
0
 
rleyba828Author Commented:
Hi Team,

   the simplest solution, I can see is the one from spravtek

"...If you have bash 4.0 however, you can use the -i (interactive) flag, which should allow you to do what you are looking for..."

It worked fine for me.

My only concern is that we want to deploy this in other linux servers some of them RHEL 5 or older.  What would happen if they don't use bash 4.0.....say they use earlier one...   will it cause the shell to hang, or lock up.   we want to put it in a cron job that runs once a day or more often, and we will be adding more commands to the script.

Thanks.
0
 
gheistCommented:
bash is used by system scripts just like python 2.4
never ever even think about replacing them
0
 
ozoCommented:
If it's a cron job, does that mean that the history you are interested in is just the history of the prior commands within 2baseline.sh (of which there would only be 5, not 100 in your example)?  If so, it should suffice to enable history within that shell.
Or, if 2baseline.sh is called from within another cron job, and if the history you are interested in is the history of the job that calls 2baseline.sh, then it should be simpler to put the history command in that job.
0
 
rleyba828Author Commented:
Hi gheist,   I am not talking about replacing them,   just wondering about the impact of doing this:

[root@test ~]# cat 2baseline.sh 
#!/bin/bash -i        <<<<<<-----------------------------I added the -i in the bash parameter of this script
BASEFILE=BASELINE_$(date '+%d_%b_%Y_%H_%M_%S').txt
exec >> $BASEFILE 2>&1
set -x
date
who
history 100    <<<<<<<-------------------because of the -i parameter above, this command now displays properly,
cat /etc/fstab
tail -n 1000 /var/log/messages

Open in new window


There are some notes about this:http://www.gnu.org/software/bash/manual/html_node/Interactive-Shell-Behavior.html, so I am wondering what if our sysadmins deploy this script to some older Linux kernels that use an earlier version of bash 4.0.  will it cause the shell to lock up or other unpredictable results?

Thanks
0
 
ozoCommented:
If you are only interested in the history of commands within 2baseline.sh, and not the history of commands done by the parent before calling 2baseline.sh, then it should suffice to enable history within 2baseline.sh, e.g. with set -o history
0
 
gheistCommented:
It will overwrite history file part that is in main shell memory, then main shell will wipe trails of script when exiting.
0
 
rleyba828Author Commented:
Hi ozo, I am actually interested in the history of commands done by the PARENT....  the reason is we want to keep tabs of what the root account has been doing....as there are multiple admins per server....so this 2baseline.sh is a way of capturing that and we ship out the output to some secure box for auditing.
0
 
gheistCommented:
export LD_PRELOAD=/lib/snoopy.so
readonly LD_PRELOAD
0
 
ozoCommented:
If the parent is a cron job, then that cron job can be responsible for executing the history command.
(or for sourcing instead of executing 2baseline.sh)
0
 
gheistCommented:
And if user is logged in while cron job runs... there is no mechanism of mutual exclusion available.

I hold a big red poster and shout Snoopy snoopy snoopy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.