I have Ubuntu server. On the server several users are allowed to operate. They use ssh.
I need to have command line history for all of them in one place showing the time, the user and the command. Also I like to prevent the users from editing the history file. Generally speaking I need to record what they do on the server and prevent them from modifying the records.
Is there any solution for this ?
I believe it should be possible. I'd start by creating one logfile per user (as I'm unsure of the side effects of sharing a pooled history file). So for the sake of example, I'm going to
mkdir /var/log/history
touch /var/log/history/soneil
chown root:soneil /var/log/history/soneil
chmod 660 /var/log/history/soneil
So I have a history file that's owned by root, but 'soneil' can write to.
Then, a little magic: chattr +a /var/log/history/soneil
Now 'soneil' can only append to history, it's otherwise immutable to all but root.
So I've got my log file prepped, I just need to use it.
in /etc/bashrc (on Ubuntu I notice this is /etc/bash.bashrc):
export HISTFILE=/var/log/history/$USER
readonly HISTSIZE
readonly HISTFILE
readonly HISTIGNORE
readonly HISTCONTROL
The readonly builtin is fairly self-explanatory, and I believe could be equally applicable to SvenW's function too.
Tested, this has the same problem as the normal history file; it's written at logout, and isn't timestamped. so ordering events would be messy. I think if I had to do this myself, I'd add
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
readonly PROMPT_COMMAND
to force history to be flushed to disk each time a new prompt is drawn. There's also a HISTTIMEFORMAT envar which will add timestamps to the history file, but in a rather non-pretty format (setting the var to a prettier format only affects the output of 'history', not the contents of the file itself).
I think what you want to do is not really possible. Do you worry primarily about who changed a file or do you explicitly want so see they used pico to do so? If the former is the case, you could use a shared file system with logging capabilities (i.e. NFS, Samba) and mount the users directories this way. Depending on the configuration, this will log every file action.
--- Edit
Thinking about it a little bit more, I guess you could use traps to do what you want, but this is a hackish solution and will prevent some bash functionality:
Put the following in your /etc/bashrc (or similar):
function commandlogger
{
LASTENTRY=$(fc -ln -0)
logger -p local1.info -t commandlogger -i -- "${USER} - ${LASTENTRY}"
}
trap commandlogger DEBUG
This will spring a bash trap whenever a user enters a command which then will log this command into the syslog. You can then grep through this looking for the tag commandlogger. Also, entries will be only logged after the next command.
As Khaled said, the best way to handle this isn't to allow lots of people to log into the same account using ssh, but to give each user their own login and have them acquire privilege through sudoing individual commands with the privilege of the shared account.
If you go this way, not only does sudo log to the system logs using syslog, but if you require a definitive tamper-proof record of who did what, you can have those syslogs also sent to a central loghost, to which none of the users has any access.
Edit: I just tried to do this by enabling process accounting, and although that gives me a definitive list of each command run by each user, it doesn't seem to record arguments and flags, only the command itself. Anyone know any way to get lastcomm to report arguments and flags?
