Am 16.03.2012 15:56, schrieb Greg Wooledge:
On Fri, Mar 16, 2012 at 02:33:35PM +0000, Lars Peterson wrote:
Is there a way to configure bash so that commands from a
non-interactive
shell are preserved in the history? I'm more interested in saving
commands
invoked via ssh vs shell scrpts.
From CHANGES, for bash 4.1:
l. There is a new configuration option (in config-top.h) that forces
bash to
forward all history entries to syslog.
However, that only applies to commands that bash is already adding to
its history. So you'd also have to do a "set -o history" command at
some point, since non-interactive shells don't do that by default.
That might be tricky to arrange.
And of course you'd have to force the ssh user to use your specially
compiled bash with the SYSLOG_HISTORY option, and not some other shell.
If the larger context is "I want to know everything my users are doing",
you're going to end up frustrated. Unix simply wasn't designed to lock
users down. Quite the opposite -- it was designed to give users full
power. Users can make system calls without going through a shell, by
writing C code and so on. They can also invoke processes without using
a shell, if processes are the thing you actually want to track, rather
than, for instance, file system operations.
If any of the above resembles your actual goal, then you need to look
into "accounting" ("process accounting", etc.). It's a huge topic, and
logging shell commands doesn't even come close to addressing it.
Just a suggestion but if its only about ssh then you could chroot to a
new base and replace the bash with a bash script.
or change the default shell. to something like this.
file
/bin/bash
#!/bin/realbash
exec /bin/realbash -o history "${@}"
i.e. so that when bash is called you enable history. haven't really
tried it but I think it should be possible.
or do something like
/bin/bash
#!/bin/realbash
exec logapp /bin/realbash -o xtrace "${@}"
/bin/logbash
#!/bin/bash
exec logapp /bin/bash -o xtrace "${@}"
testsctipt.sh
#!/bin/logbash
do something here .....
just some rough ideas.
I mean depending on your setup you could either change the account
default shell, only allow execution of the special logging shell, or
just specify the logging shell in you hash bang entry.
heck you could even do something really crazy like manually read the
bash input/script usinf read and eval each line of code,
something like
while read -re ; do
echo "${REPLY}"
eval "${REPLY}" ## not saying its a good idea just that there are a
lot of ways to skin this particular fish.
done
or even something like
/bin/logscript
#!/bin/bash
trap 'echo "${BASH_COMMAND}" >> Logfile' DEBUG
source "${1}"