#! /bin/bash# /etc/bash.bash_logout## Time-stamped bash history logging# by

1. #! /bin/bash
2.  
3. # /etc/bash.bash_logout
4. #
5. # Time-stamped bash history logging
6. # by Craig Sanders <cas@taz.net.au> 2008
7. #
8. # This script is public domain. Do whatever you want with it.
9.  
10. exec >& /dev/null
11.  
12. # LOGDIR must already exist and must be mode 1777 (same as /tmp)
13. # put it somewhere easily overlooked by script-kiddies. /var/log
14. # is a bad location because slightly-brighter-than-average SK's will
15. # often 'rm -rf /var/log' to cover their tracks.
16. LOGDIR='/var/tmp/.history'
17.  
18. [ -d "$LOGDIR" ] || exit 0
19.  
20. # Get current user name and who they logged in as.
21. CNAME=$(id -u -n)
22. LNAME=$(who am i | awk '{print $1}')
23. NAME="$LNAME--$CNAME"
24.  
25. # Get the TTY
26. TTY=$(tty)
27.  
28. # get the hostname and ip they logged in from
29. # short (non-fqdn) hostname:
30. RHOST_NAME=$(who -m | awk '{print $5}' | sed -r -e 's/[()]|..*//g')
31. # or full hostname:
32. #RHOST_NAME=$(who -m | awk '{print $5}' | sed -r -e 's/[()]//g')
33.  
34. # if no RHOST_NAME, then login was on the console.
35. echo "$RHOST_NAME" | grep -q '[:/]' && RHOST_NAME="console"
36.  
37. # get the IP address
38. RHOST_IP=$(who -m --ips | awk '{print $5}')
39. echo "$RHOST_IP" | grep -q '[:/]' && RHOST_IP="console"
40.  
41. RHOST=$(echo "$RHOST_NAME--$RHOST_IP")
42.  
43. WHERE="$RHOST--$TTY"
44. WHERE=$(echo "$WHERE" | sed -e 's///-/g' -e 's/^-//')
45.  
46. # Filenames will be of the form:
47. # $LOGDIR/cas--root--localhost--127.0.0.1---dev-pts-1
48. # Ugly, but useful/informative. This example shows I logged in as cas
49. # from localhost, sudo-ed to root, and my tty was /dev/pts/1
50. HISTLOG="$LOGDIR/$NAME--$WHERE"
51.  
52.  
53. # Optionally rotate HISTLOG on each logout, otherwise new history
54. # sessions just get appended.
55. #[ -e "$HISTLOG" ] && savelog -l -c 21 -q $HISTLOG > /dev/null 2>&1
56.  
57. # Log some easily parseable info as a prelude, including the current
58. # history settings (an unusual HISTFILE or zero HISTSIZE setting is
59. # suspicious and worthy of investigation)
60.  
61. cat <<__EOF__ >> "$HISTLOG"
62.  
63. ### TIME ### $(date +'%a,%Y-%m-%d,%H:%M:%S')
64. ### FROM ### $RHOST_NAME,$RHOST_IP,$TTY
65. ### USER ### $LNAME,$CNAME
66. ### WHOM ### $(who -m)
67. ### HIST ### $HISTFILE,$HISTSIZE
68.  
69. __EOF__
70.  
71.  
72. # Setting HISTTIMEFORMAT seems to be buggy. bash man page says it uses
73. # strftime, but all it seems to care about is whether it's set or not -
74. # 'history -a' always uses seconds since epoch, regardless of what it is
75. # set to.
76.  
77. HISTTIMEFORMAT="%s"
78. history -a "$HISTLOG"
79.  
80.  
81. # Now write history as normal (this seems buggy too. bash used to always
82. # write $HISTFILE anyway, but now it won't do it if you've already run
83. # 'history -a')
84.  
85. unset HISTTIMEFORMAT
86. history -w
87.  
88. $umask 0000
89. $FileCreateMode 0666
90. local2.info /var/log/usercommands
91. $umask 0077