Yes, using history command to track the changes made to the system is not convincing. There should be some auditing tool to track the changes, any suggestions please.
On Thu, Dec 12, 2013 at 1:23 PM, Arun Khan <[email protected]> wrote: > On Thu, Dec 12, 2013 at 11:05 AM, Rajagopal Swaminathan > <[email protected]> wrote: > > Greetings, > > > > On Wed, Dec 11, 2013 at 2:24 PM, Arun Khan <[email protected]> wrote: > >>> > >> > >> Who changed it? Do you have any mechanism in place to track such > changes? > >> > > > > One possible mechanism in bash is : > > > > echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile > > echo 'export HISTSIZE=5000' >> /etc/profile > > echo 'export PROMPT_COMMAND="history -a"' >> /etc/profile > > > > This will help track last 5000 commands typed in any terminal window > > > > one just has to type > > > > history -r > > > > in the terminal logged in as the user whose history one wants to track > > > > However, if the system has been b0rk3ed, the cracker will most likely > remove the command history as well e.g. '> ~/.bash_history' or disable > command history logging (export HISTFILE=/dev/null) *before* s/he goes > about doing the damage! > > -- Arun Khan > _______________________________________________ > ILUGC Mailing List: > http://www.ae.iitm.ac.in/mailman/listinfo/ilugc > ILUGC Mailing List Guidelines: > http://ilugc.in/mailinglist-guidelines > -- *Thanks,Madhusudhanan* _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ILUGC Mailing List Guidelines: http://ilugc.in/mailinglist-guidelines
