Yes, using history command to track the changes made to the system is not
convincing. There should be some auditing tool to track the changes, any
suggestions please.
On Thu, Dec 12, 2013 at 1:23 PM, Arun Khan <knura9 at gmail.com> wrote:
On Thu, Dec 12, 2013 at 11:05 AM, Rajagopal Swaminathan
<raju.rajsand at gmail.com> wrote:
Greetings,changes?
On Wed, Dec 11, 2013 at 2:24 PM, Arun Khan <knura9 at gmail.com> wrote:
Who changed it? Do you have any mechanism in place to track such
One possible mechanism in bash is :
echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile
echo 'export HISTSIZE=5000' >> /etc/profile
echo 'export PROMPT_COMMAND="history -a"' >> /etc/profile
This will help track last 5000 commands typed in any terminal window
one just has to type
history -r
in the terminal logged in as the user whose history one wants to track
However, if the system has been b0rk3ed, the cracker will most likely
remove the command history as well e.g. '> ~/.bash_history' or disable
command history logging (export HISTFILE=/dev/null) *before* s/he goes
about doing the damage!
-- Arun Khan
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
ILUGC Mailing List Guidelines:
http://ilugc.in/mailinglist-guidelines