run a key logger On Tue, Jan 19, 2010 at 9:24 AM, Nick Baronian <[email protected]> wrote:
> There are probably a ton of different ways to do this but if the user > is deleting the history file you could probably just create a hardlink > to the user's .bash_history for a one time catch. The hard link will > be broken after the file is deleted and if the user is erasing the > data in the file the hard link will do you little good. > ln /home/user/.bash_history /root/userhistory > A better solution might be to try playing with the HISTFILE setting. > I haven't tried it but you may be able to specify more than one file > or you could just change the user's history to another spot. > You may also want to verify the histappend is set. > > Nick > On Tue, Jan 19, 2010 at 5:50 AM, Monkey Daemon > <[email protected]> wrote: > > Hi, > > > > I've just discovered a system on which one of our darling users has > > decided adding a script to his .bash_logout file that removes > > .bash_history on logout is a clever thing to do. > > > > Is there a way to take a copy of the .bash_history file before it is > > deleted? This user obviously has something to hide as far as I'm > > concerned, so I need to archive this file to present it as evidence. > > > > Thanks in advance, > > > > MWD. > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
