[Pauldotcom] Archiving History files
dninja at gmail.com
Tue Jan 19 12:53:03 UTC 2010
2010/1/19 Monkey Daemon <monkeywebdaemon at googlemail.com>:
> I've just discovered a system on which one of our darling users has
> decided adding a script to his .bash_logout file that removes
> .bash_history on logout is a clever thing to do.
> Is there a way to take a copy of the .bash_history file before it is
> deleted? This user obviously has something to hide as far as I'm
> concerned, so I need to archive this file to present it as evidence.
You could trojan the history command so that when a clear is attempted
it copies the current history first. I'd do this by moving the history
binary to one side and adding a shell script wrapper that checks the
UID and acts when needed.
More information about the Pauldotcom