[Pauldotcom] Archiving History files
nbaronian at gmail.com
Tue Jan 19 14:24:26 UTC 2010
There are probably a ton of different ways to do this but if the user
is deleting the history file you could probably just create a hardlink
to the user's .bash_history for a one time catch. The hard link will
be broken after the file is deleted and if the user is erasing the
data in the file the hard link will do you little good.
ln /home/user/.bash_history /root/userhistory
A better solution might be to try playing with the HISTFILE setting.
I haven't tried it but you may be able to specify more than one file
or you could just change the user's history to another spot.
You may also want to verify the histappend is set.
On Tue, Jan 19, 2010 at 5:50 AM, Monkey Daemon
<monkeywebdaemon at googlemail.com> wrote:
> I've just discovered a system on which one of our darling users has
> decided adding a script to his .bash_logout file that removes
> .bash_history on logout is a clever thing to do.
> Is there a way to take a copy of the .bash_history file before it is
> deleted? This user obviously has something to hide as far as I'm
> concerned, so I need to archive this file to present it as evidence.
> Thanks in advance,
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
More information about the Pauldotcom