In Linux, generally we use a lot of commands and it is difficult to remember all of them.
history
command provides the list of commands we used previously but its limit is less. New commands are overwritten on old commands then old commands are missing. I think somewhere the log of the commands is stored in the system.
Is that log available to open and read? If possible can we change the maximum size of log that it can handle?
Is the output of history command depends upon the login-user?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
A simple solution is to increase the number of commands saved and returned by history. If you use bash, add this line to your ~/.profile:
export HISTSIZE=100000 export HISTFILESIZE=999999
From man bash:
HISTFILESIZE
The maximum number of lines contained in the history file. When
this variable is assigned a value, the history file is trun‐
cated, if necessary, to contain no more than that number of
lines by removing the oldest entries. The history file is also
truncated to this size after writing it when a shell exits. If
the value is 0, the history file is truncated to zero size.
Non-numeric values and numeric values less than zero inhibit
truncation. The shell sets the default value to the value of
HISTSIZE after reading any startup files.
HISTSIZE
The number of commands to remember in the command history (see
HISTORY below). If the value is 0, commands are not saved in
the history list. Numeric values less than zero result in every
command being saved on the history list (there is no limit).
The shell sets the default value to 500 after reading any
startup files.
Method 2
The file ~/.bash_history saves the list of executed commands. At least in CentOS this file exists, I don’t know if it exists in other distros.
Method 3
There is no such log, at least not by default.
There are tools you can install, like acct (“GNU Accounting utilities for process and login accounting”) which can keep track of all programs executed on the system.
acct is packaged for most (probably all except tiny-distros) linux distros. The home page is at http://www.gnu.org/software/acct/
acct provides the following commands, lastcomm probably does what you’re asking for:
ac
prints statistics about users’ connect time. ac can tell you how long a particular user or group of users were connected to your
system, printing totals by day or for all of the entries in the wtmp
file.accton
turns accounting on or off.lastcomm
lists the commands executed on the system, most recent first, showing the run state of each command. With last, you can search the
acct file for a particular user, terminal, or command.sa
summarizes the information in the acct file into the savacct and usracct file. It also generates reports about commands, giving the
number of invocations, cpu time used, average core usage, etc.dump-acct dump-utmp
display acct and utmp files in a human-readable format.
Method 4
I am going to take a different approach to answering your question. While the ~/.bash_history log does log commands, scripts, one-liners, etc. the user has full control over their history.
From a SA’s point of view you probably do not want this, instead you may want to audit what is executed on the system?
How I do this is by using auditd; some example rules are below for /etc/auditd/auditd.rules:
-w /sbin/mkfs -p x -k sbin_mkfs
-w /sbin/mke2fs -p x -k sbin_mke2fs
-w /sbin/mkswap -p x -k sbin_mkswap
-w /sbin/mkinitrd -p x -k sbin_mkinitrd
-w /sbin/modinfo -p x -k sbin_modinfo
-w /sbin/modprobe -p x -k sbin_modprobe
auditd would then log to /var/log/audit/ when any of the above commands are executed (-p x) and you can then view all commands that were executed on the system and by whom. It has a buffer that you specify its size with, can configure auditd to overwrite old logs, etc.
This seems to be what you want?
Method 5
Note that if you don’t use bash, it won’t be in ~/.bash_history, but ~/.<shell name>_history. For example, I use zsh, my log is in ~/.zsh_history.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0