How to Capture All the Commands Typed in Unix/Linux by Any User

How to capture all the commands typed in Unix/Linux by any user?

There seems to be quite a good article on shell auditing at
http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/ .

This considers things like reliability of user history files (and provides info on improving that), but also discusses explicit auditing features built into shells. It may be that whatever environment you're using doesn't have the shells compiled with auditing features enabled, but if you have the source and configuration for your builds available (as you would do at least for any Linux distribution), it shouldn't be too hard to enable the auditing feature while keeping rest of the configuration as it is in the default distribution.

What this approach still would leave open is the commands executed through some other command - or operating system functionality called from within some program. So, f.ex. if you have perl, or any other programming language interpreter available on the machine, while you possibly can audit the execution of perl, you cannot tell what the user had told the perl interpreter to do. On the other hand, even with shell auditing, I'm not certain whether the perl execution would be seen if it was executed f.ex. from within some editor (like vi) as a filter to process whatever had been written within the editor.

So, while shell auditing will provide you one layer of auditing, the gain is not that great unless your environment is really tightened against other paths of execution than the shell.

You should consider whether the users to be audited actually need shell access - and if not, provide them with something more limited, with auditing capabilities. A small text-based menu system, perhaps?

IS there any way to find what commands we have run in linux apart from history

On linux distributions and installations I encountered: no, it's not possible. Even .bash_history is storing only bash history (and some administrators can (and will) use other shell(s)) and has usually set a limit so sometimes gets truncated. You would have to write and configure such utility yourself.

How to search all matching previous commands using ctrl+R in Linux

If you press Ctrl+R and type your search, you will get the last record matching this search.

If you press Ctrl+R again you will get the previous record. You can press Ctlr+R repetitively to get older matches.

This doesn't provide a list though.

Linux command to list all available commands and aliases

You can use the bash(1) built-in compgen

• compgen -c will list all the commands you could run.
• compgen -a will list all the aliases you could run.
• compgen -b will list all the built-ins you could run.
• compgen -k will list all the keywords you could run.
• compgen -A function will list all the functions you could run.
• compgen -A function -abck will list all the above in one go.

Check the man page for other completions you can generate.

To directly answer your question:

compgen -ac | grep searchstr

should do what you want.

Execute a command without keeping it in history

Start your command with a space and it won't be included in the history.

Be aware that this does require the environment variable $HISTCONTROL to be set.

• Check that the following command returns ignorespace or
  ignoreboth:

   echo $HISTCONTROL
  

• To add the environment variable if missing, the following line can be added to the Bash profile. E.g., to file %HOME/.bashrc.

   export HISTCONTROL=ignorespace
  

After sourcing the profile again, space-prefixed commands will not be written to $HISTFILE.

How can I see all of the bash history?

You should look into the histappend shell option and the -a flag to history:

histappend

If set, the history list is appended to the file named by the value of the HISTFILE variable when the shell exits, rather than overwriting the file.

history

-a Append the "new" history lines (history lines entered since the beginning of the current bash session) to the history file.

If you put history -a into your PROMPT_COMMAND, you'll get an always-up-to-date .bash_history file.

Automatically capture output of last command into a variable using Bash?

This is a really hacky solution, but it seems to mostly work some of the time. During testing, I noted it sometimes didn't work very well when getting a ^C on the command line, though I did tweak it a bit to behave a bit better.

This hack is an interactive mode hack only, and I am pretty confident that I would not recommend it to anyone. Background commands are likely to cause even less defined behavior than normal. The other answers are a better way of programmatically getting at results.

---

That being said, here is the "solution":

PROMPT_COMMAND='LAST="`cat /tmp/x`"; exec >/dev/tty; exec > >(tee /tmp/x)'

Set this bash environmental variable and issues commands as desired. $LAST will usually have the output you are looking for:

startide seth> fortune
Courtship to marriage, as a very witty prologue to a very dull play.
                -- William Congreve
startide seth> echo "$LAST"
Courtship to marriage, as a very witty prologue to a very dull play.
                -- William Congreve

Linux Command History with date and time

Regarding this link you can make the first solution provided by krzyk permanent by executing:

echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
source ~/.bash_profile

---

Related Topics