[Pauldotcom] Archiving History files

Tim Krabec tkrabec at gmail.com
Tue Jan 19 15:48:35 UTC 2010 

run a key logger

On Tue, Jan 19, 2010 at 9:24 AM, Nick Baronian <nbaronian at gmail.com> wrote:

> There are probably a ton of different ways to do this but if the user
> is deleting the history file you could probably just create a hardlink
> to the user's .bash_history for a one time catch.  The hard link will
> be broken after the file is deleted and if the user is erasing the
> data in the file the hard link will do you little good.
> ln /home/user/.bash_history /root/userhistory
> A better solution might be to try playing with the HISTFILE setting.
> I haven't tried it but you may be able to specify more than one file
> or you could just change the user's history to another spot.
> You may also want to verify the histappend is set.
>
> Nick
> On Tue, Jan 19, 2010 at 5:50 AM, Monkey Daemon
> <monkeywebdaemon at googlemail.com> wrote:
> > Hi,
> >
> > I've just discovered a system on which one of our darling users has
> > decided adding a script to his .bash_logout file that removes
> > .bash_history on logout is a clever thing to do.
> >
> > Is there a way to take a copy of the .bash_history file before it is
> > deleted? This user obviously has something to hide as far as I'm
> > concerned, so I need to archive this file to present it as evidence.
> >
> > Thanks in advance,
> >
> > MWD.
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>



-- 
Tim Krabec
Kracomp
772-597-2349
smbminute.com
kracomp.blogspot.com
www.kracomp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100119/295cc48e/attachment.htm

More information about the Pauldotcom mailing list