PaulDotCom mailing list archives

Archiving History files

From: tkrabec at gmail.com (Tim Krabec)
Date: Tue, 19 Jan 2010 10:48:35 -0500

run a key logger

On Tue, Jan 19, 2010 at 9:24 AM, Nick Baronian <nbaronian at gmail.com> wrote:

There are probably a ton of different ways to do this but if the user
is deleting the history file you could probably just create a hardlink
to the user's .bash_history for a one time catch.  The hard link will
be broken after the file is deleted and if the user is erasing the
data in the file the hard link will do you little good.
ln /home/user/.bash_history /root/userhistory
A better solution might be to try playing with the HISTFILE setting.
I haven't tried it but you may be able to specify more than one file
or you could just change the user's history to another spot.
You may also want to verify the histappend is set.

Nick
On Tue, Jan 19, 2010 at 5:50 AM, Monkey Daemon
<monkeywebdaemon at googlemail.com> wrote:

Hi,

I've just discovered a system on which one of our darling users has
decided adding a script to his .bash_logout file that removes
.bash_history on logout is a clever thing to do.

Is there a way to take a copy of the .bash_history file before it is
deleted? This user obviously has something to hide as far as I'm
concerned, so I need to archive this file to present it as evidence.

Thanks in advance,

MWD.
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Tim Krabec
Kracomp
772-597-2349
smbminute.com
kracomp.blogspot.com
www.kracomp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100119/295cc48e/attachment.htm

Current thread:

Archiving History files Monkey Daemon (Jan 19)
- Archiving History files Robin Wood (Jan 19)
- Archiving History files Tim Krabec (Jan 19)
- Archiving History files Matt Erasmus (Jan 19)
- Archiving History files Carlos Perez (Jan 19)
  - Archiving History files Robin Wood (Jan 19)
- Archiving History files Nick Baronian (Jan 19)
  - Archiving History files Tim Krabec (Jan 19)
- Archiving History files Dave Ockwell-Jenner (Jan 19)
  - Archiving History files Michael McGrew (Jan 19)
- <Possible follow-ups>
- Archiving History files genesiswave at gmail.com (Jan 19)