Saturday, February 11, 2012

Enable timestamp logging in bash commands history

Bash has the built-in feature to support timestamp in history command , but it is not enabled by default in Red Hat Linux(ksh doesn’t have the feature at all)
It is recommended to tune two environment variables for history command to tighten audit.
1.Enable timestamp in command history
2.Increase the default  history file size
Enable timestamp in command history
Just need to set HISTTIMEFORMAT env variable, e.g.  HISTTIMEFORMAT="[%F %T %Z] "
The time format is the same as that of date command.
Increase the default history file size
There are two environment variables  for history size.
HISTSIZE: How many lines to keep in memory for current bash session, commands in current session are appended to ~/.bash_history on quitting.
HISTFILESIZE: How many lines to keep in history file ~/.bash_history
Both HISTSIZE and HISTFILESIZE seem to be 1000 by default, HISTSIZE=1000 is ok for current session, but HISTFILESIZE=1000 is too small to log enough commands for any past login session.
Both environment variables  are to be enabled for all users,  they can be put in global profile /etc/profile , but user defined global profile in /etc/profile.d/ is a better option.
For example, create a user global profile in /etc/profile.d
$cat /etc/profile.d/user.sh 

HISTSIZE=1000

HISTFILESIZE=40000

HISTTIMEFORMAT="[%F %T %Z] "

export HISTSIZE HISTFILESIZE HISTTIMEFORMAT

#With timestamp enabled, the history command output looks like this

$history 

19  [2012-02-03 13:41:56 EST] history

20  [2012-02-03 13:42:58 EST] date

22  [2012-02-03 13:42:55 EST] pwd



You may notice that the commands was not sorted by the time order, it is because, even “pwd” was executed  before date, but  it is was in different session and the “pwd session” was terminated after the “date session”, so the “pwd” command was appended after “date”.



To view all 40000 lines in ~/.bash_history for tracing very old commands, you need to temporarily increase HISTSIZE to 40000 before run “history”.  You can set the default HISTSIZE is 4000, but it takes too long to process for history command used in daily basis. 



Other useful history related commands




#clear commands history in current session 

$history -c

#disable logging history commands

$set +o history 

#enable logging history commands

$set –o history 

#fc (fix command) 

#open last 4 commands in an editor and re-execute them after closing the editor

#it is useful if you need to re-execute more than one command

$fc -4 -1










Posted by



at


























Labels:
,
,


















No comments:















Post a Comment






Note: Only a member of this blog may post a comment.














        

      









Subscribe to:
Post Comments (Atom)