HOW to grep for "rm" or a specific command from users' .sh_history file? (344 Views)
Reply
Regular Advisor
Posts: 138
Registered: ‎09-18-2005
Message 1 of 4 (344 Views)

HOW to grep for "rm" or a specific command from users' .sh_history file?

Fellow SAs:

 

Can someone suggest an easy way to investigate which user issued a specific command from his/her history file. I have a list of 50 users and I want to detect who used either "rm" or "mv" command. Please forward any known "find" string or script that you may use for this kind of activity. Thanks in advance for your time and inputs.

 

Regards,

-Kennedy

Acclaimed Contributor
Posts: 21,184
Registered: ‎07-06-2000
Message 2 of 4 (340 Views)

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

Hi Kennedy:

 

First, remember that any user who wishes to hide his/her activity only has to remove his/her '.sh_history' or truncate it by redirecting '/dev/null' into it.

 

That said, you could try (as root):

 

# find /home -name .sh_history -exec grep -E "mv|rm" {} +

 

This assumes that the user's default shell is '.sh_history' and that its path is in '/home'.  You could address this by examining '/etc/passwd' to obtain a list of users as well as their HOME login directory and shell.

 

Regards!

 

...JRF...

Regular Advisor
Posts: 138
Registered: ‎09-18-2005
Message 3 of 4 (334 Views)

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

James:

 

Thanks a billion.... I really appreciate it. I will try out your string/suggestion.

 

Other users, please keep it coming...

Acclaimed Contributor
Posts: 26,107
Registered: ‎03-06-2006
Message 4 of 4 (316 Views)

Re: HOW to grep for "rm" or a specific command from users' .sh_history file?

>Other users, please keep it coming...

 

There are not very many ways to do this.  Of course the user could rename his history file and put it elsewhere with:

   export HISTFILE=

 

You could grep his ~/.profile to check for that.  And of course there is a separate history for the scummy C shell,  And I suppose bash could use a different one,

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.