Viewing bash history of separate active TTY
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
I am working on a script that will help the sysadmins on our team monitor what's going on in other terminals by other logged in users.
One thing I'm stuck on right now is how to view what commands have been typed. I realize that the history doesn't get saved until the user exits or types history -a, but there has to be a way to view what's currently in the history, even if it's stored in memory somewhere.
Is it possibly saved somewhere in /proc/$pid_of_users_bash? I tried to type a command echoing a unique string (EG: echo "foobarbaz", then greping for foobarbaz through any flat files within the associated /proc/PID directory, but no luck.
If anyone has a solution that doesn't involve setting thePROMPT_COMMAND or setting the histappend (like these), that would be greatly appreciated.
shell tty command-history proc
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
add a comment |Â
up vote
4
down vote
favorite
I am working on a script that will help the sysadmins on our team monitor what's going on in other terminals by other logged in users.
One thing I'm stuck on right now is how to view what commands have been typed. I realize that the history doesn't get saved until the user exits or types history -a, but there has to be a way to view what's currently in the history, even if it's stored in memory somewhere.
Is it possibly saved somewhere in /proc/$pid_of_users_bash? I tried to type a command echoing a unique string (EG: echo "foobarbaz", then greping for foobarbaz through any flat files within the associated /proc/PID directory, but no luck.
If anyone has a solution that doesn't involve setting thePROMPT_COMMAND or setting the histappend (like these), that would be greatly appreciated.
shell tty command-history proc
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
If the question does not attract a solution within the constraints and you do end up punting by usingPROMPT_COMMAND... unix.stackexchange.com/questions/207813/…
– Christopher
Oct 2 '17 at 20:16
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsettingPROMPT_COMMANDwhen logging in there. It also messes withset -xwhich I have turned on by default...
– Kusalananda
Oct 2 '17 at 20:29
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I am working on a script that will help the sysadmins on our team monitor what's going on in other terminals by other logged in users.
One thing I'm stuck on right now is how to view what commands have been typed. I realize that the history doesn't get saved until the user exits or types history -a, but there has to be a way to view what's currently in the history, even if it's stored in memory somewhere.
Is it possibly saved somewhere in /proc/$pid_of_users_bash? I tried to type a command echoing a unique string (EG: echo "foobarbaz", then greping for foobarbaz through any flat files within the associated /proc/PID directory, but no luck.
If anyone has a solution that doesn't involve setting thePROMPT_COMMAND or setting the histappend (like these), that would be greatly appreciated.
shell tty command-history proc
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
I am working on a script that will help the sysadmins on our team monitor what's going on in other terminals by other logged in users.
One thing I'm stuck on right now is how to view what commands have been typed. I realize that the history doesn't get saved until the user exits or types history -a, but there has to be a way to view what's currently in the history, even if it's stored in memory somewhere.
Is it possibly saved somewhere in /proc/$pid_of_users_bash? I tried to type a command echoing a unique string (EG: echo "foobarbaz", then greping for foobarbaz through any flat files within the associated /proc/PID directory, but no luck.
If anyone has a solution that doesn't involve setting thePROMPT_COMMAND or setting the histappend (like these), that would be greatly appreciated.
shell tty command-history proc
shell tty command-history proc
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
edited Oct 2 '17 at 20:08
Jeff Schaller
32.3k849109
32.3k849109
asked Oct 2 '17 at 19:30
Justin
24018
asked Oct 2 '17 at 19:30
Justin
24018
asked Oct 2 '17 at 19:30
Justin
24018
24018
If the question does not attract a solution within the constraints and you do end up punting by usingPROMPT_COMMAND... unix.stackexchange.com/questions/207813/…
– Christopher
Oct 2 '17 at 20:16
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsettingPROMPT_COMMANDwhen logging in there. It also messes withset -xwhich I have turned on by default...
– Kusalananda
Oct 2 '17 at 20:29
add a comment |Â
If the question does not attract a solution within the constraints and you do end up punting by usingPROMPT_COMMAND... unix.stackexchange.com/questions/207813/…
– Christopher
Oct 2 '17 at 20:16
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsettingPROMPT_COMMANDwhen logging in there. It also messes withset -xwhich I have turned on by default...
– Kusalananda
Oct 2 '17 at 20:29
If the question does not attract a solution within the constraints and you do end up punting by using
PROMPT_COMMAND... unix.stackexchange.com/questions/207813/…– Christopher
Oct 2 '17 at 20:16
If the question does not attract a solution within the constraints and you do end up punting by using
PROMPT_COMMAND... unix.stackexchange.com/questions/207813/…– Christopher
Oct 2 '17 at 20:16
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsetting
PROMPT_COMMAND when logging in there. It also messes with set -x which I have turned on by default...– Kusalananda
Oct 2 '17 at 20:29
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsetting
PROMPT_COMMAND when logging in there. It also messes with set -x which I have turned on by default...– Kusalananda
Oct 2 '17 at 20:29
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
Bash does not provide information you want. I think you want avoid setting COMMAND_PROMPT and histappend because users may easily overwrites them. But users may completely disable storing commands to history when they set HISTCONTROL="ignorespace" and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.
Ad hoc monitoring a single session can be done over strace. Search for the PID of the user's bash and then call strace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.
Most of linux distribution provides auditd package. It monitors and audits system components so administrator may get information about system activities in past. A PAM module pam_tty_audit cooperates with auditd and enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use the pam_tty_audit.
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Bash does not provide information you want. I think you want avoid setting COMMAND_PROMPT and histappend because users may easily overwrites them. But users may completely disable storing commands to history when they set HISTCONTROL="ignorespace" and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.
Ad hoc monitoring a single session can be done over strace. Search for the PID of the user's bash and then call strace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.
Most of linux distribution provides auditd package. It monitors and audits system components so administrator may get information about system activities in past. A PAM module pam_tty_audit cooperates with auditd and enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use the pam_tty_audit.
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
add a comment |Â
up vote
0
down vote
Bash does not provide information you want. I think you want avoid setting COMMAND_PROMPT and histappend because users may easily overwrites them. But users may completely disable storing commands to history when they set HISTCONTROL="ignorespace" and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.
Ad hoc monitoring a single session can be done over strace. Search for the PID of the user's bash and then call strace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.
Most of linux distribution provides auditd package. It monitors and audits system components so administrator may get information about system activities in past. A PAM module pam_tty_audit cooperates with auditd and enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use the pam_tty_audit.
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Bash does not provide information you want. I think you want avoid setting COMMAND_PROMPT and histappend because users may easily overwrites them. But users may completely disable storing commands to history when they set HISTCONTROL="ignorespace" and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.
Ad hoc monitoring a single session can be done over strace. Search for the PID of the user's bash and then call strace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.
Most of linux distribution provides auditd package. It monitors and audits system components so administrator may get information about system activities in past. A PAM module pam_tty_audit cooperates with auditd and enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use the pam_tty_audit.
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
Bash does not provide information you want. I think you want avoid setting COMMAND_PROMPT and histappend because users may easily overwrites them. But users may completely disable storing commands to history when they set HISTCONTROL="ignorespace" and insert a space before each command. So users that are not willing to be monitored cannot be reliably monitored via bash history.
Ad hoc monitoring a single session can be done over strace. Search for the PID of the user's bash and then call strace -p <bash-pid> 2>&1 |grep "read(0,". The you can see all characters typed by user - including typos and editing commands.
Most of linux distribution provides auditd package. It monitors and audits system components so administrator may get information about system activities in past. A PAM module pam_tty_audit cooperates with auditd and enables or disables TTY activity auditing. I guess you do not need to reinvent wheel and use the pam_tty_audit.
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
answered Oct 15 '17 at 9:22
Zaboj Campula
450516
450516
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395707%2fviewing-bash-history-of-separate-active-tty%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
If the question does not attract a solution within the constraints and you do end up punting by using
PROMPT_COMMAND... unix.stackexchange.com/questions/207813/…– Christopher
Oct 2 '17 at 20:16
@Christopher That's what happens on one of the systems I'm using. I'm promptly unsetting
PROMPT_COMMANDwhen logging in there. It also messes withset -xwhich I have turned on by default...– Kusalananda
Oct 2 '17 at 20:29