Save root or user history to check later
Some times we need a way to automatically save any user’s or root’s activity so that we can check later. In environment, where root account is accessible by multiple people, its very helpful to exactly know who did what and when? In my case, I have found that some files are changed mysteriously but I was clueless as there are more than one users with root access.
To save the activity/history of any user (including root), you need to open the user’s .bash_profile from his home directory.
Here, for instance, I would like to record all commands in a file when a user login as root or su to root. History will be stored in a file with name as DateTimeIPAddress from where user came.
Step 1. Go to root’s home:
# cd ~
Step 2. You can make a hidden directory so that all history files will be stored there:
# mkdir .rhistdata
Step 3. Open .bash_profile and write down following commands:
# vi .bash_profile
# save root history
export HISTSIZE=3000
export HISTFILESIZE=5000
export HISTFILE=/root/.rhistdata/.bash_hist-$(who am i | awk ‘{print $3.$4.$5.$6}’;exit)
Save and close the file.
It’s simple. You can try to login again as root, do something and logout. Login again and check that there’s file having all commands you performed.