On Thu, Dec 12, 2013 at 11:05 AM, Rajagopal Swaminathan <raju.rajs...@gmail.com> wrote: > Greetings, > > On Wed, Dec 11, 2013 at 2:24 PM, Arun Khan <knu...@gmail.com> wrote: >>> >> >> Who changed it? Do you have any mechanism in place to track such changes? >> > > One possible mechanism in bash is : > > echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile > echo 'export HISTSIZE=5000' >> /etc/profile > echo 'export PROMPT_COMMAND="history -a"' >> /etc/profile > > This will help track last 5000 commands typed in any terminal window > > one just has to type > > history -r > > in the terminal logged in as the user whose history one wants to track >
However, if the system has been b0rk3ed, the cracker will most likely remove the command history as well e.g. '> ~/.bash_history' or disable command history logging (export HISTFILE=/dev/null) *before* s/he goes about doing the damage! -- Arun Khan _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ILUGC Mailing List Guidelines: http://ilugc.in/mailinglist-guidelines
