Originally posted by: elittle

Thank you in advance for any and all help.

How do I make every .sh_history file have a date/time format instead of the epoch time stamp, including users that sudo to root? I want to be able to correlate issues on the server with their commands by time stamp. OS level is 5300-07-03-0811

Originally posted by: unixgrl

new feature that I think is in TL7.
In the default system profile, add the line
EXTENDED_HISTORY=ON

That will give your history nice timestamps.
example:
$history -t
58 2009/08/26 13:47:50 :: view .profile
59 2009/08/26 13:48:21 :: history -t

I'm not sure how/if this works with sudo so give it a try in your environment.

Originally posted by: elittle

I am still getting the same gibberish after making the setting and exiting root and sudoing back in as root:

ls -al #M-^#1251298156#M-_#

I am fairly confident that the numbers between the # signs are epoch time, why oh why can't IBM make it simple for admins to tell what time a user exceuted commands when they were sudo'ed as root.

I think the EXTENDED_HISTORY=ON is for when you run the fc -t command and not for actually storing the time stamp in the .sh_history file.

Thanks for the help though.

Originally posted by: unixgrl

You are right that turning on the extended history doesn't put the date/timestamp
in a readable format in the history file. Running fc -t or history -t will show
the data.

What are you trying to do with the history information that you want the date/timestamp
in a readable format in the file? If you are troubleshooting a problem, running history -t to get the details in the proper format doesn't add any more steps or time than running history by itself.

I understand it would be nice if it was in the file in a readable format but its not inconvenient enough to ask for a design change.

Originally posted by: elittle

I recently had a user that has sudo access do chmod 777 -R /usr, and it would be nice to show my supervisor what this user did without having to convert the epoch time that is listed in their .sh_history file. It will make my job easier because having the time formatted into a readable format already adds validity to what I am saying because I didn't have to manipulate it into a readable format. See what I am saying, I need to cya myself so that this person cannot deny antyhing. It just makes this process easier and shouldn't that be the focus of IBM? Just because this is the way they have always done it doesn't make it right nor should they stay in the status quo.

Which would you rather do to show that someone did something they shouldn't have, convert a series of epochs (which gives the accused an opening to throw doubt on you) or just show the file in its pristine condition?

Originally posted by: unixgrl

Well, if you are trying to use a user's .sh_history to prove something, there can always be doubt. They (or you) can change their .sh_history file to say anything. They could change readable timestamps, make it so their history goes into a different file or just delete it. So, if you are worried about CYA, then you should prove your case using sudo logfiles and process accounting information which the user cannot change. This might not give you the exact command they ran but it will certainly give enough info to prove what happened beyond reasonable doubt.

I think mgmt would find the history info to be much more reliable when it is in a format that is harder to edit.

Bring up these points when mgmt thinks you are lying to them. If they still want to believe the user didn't do anything it might be time to work for a different mgr.

Originally posted by: SystemAdmin

You may find the following to be of use.

Regards,
George

#!/usr/bin/perl

1. @(#)hist - Processes the command history list of any user - GLS 02/10/2008

#=============================================================================#

1. hist Display the history of a user; similar output to history command #
2. #
3. Usage: hist user default is history of current user #
4. #
5. Created: G L Spencer 02/10/2008 #

#=============================================================================#

1. Initialization

#

---

$delim_1="#" . chr(0336) . "#"; # Initial delimiter in .sh_history
$delim_2="#" . chr(0337) . "#"; # Final delimiter in .sh_history

1. Determine the user requested

#

---

$user=@ARGV[0];
chop($who_am_i=`who am i`); # Chop to remove the newline
split(' ', $who_am_i); # Split on spaces to @_ array
if ($user eq "") {$user=@_[0];}

1. Check whether HELP is required

#

---

if ( $user eq "-h" || $user eq "-?" ) {
print "Usage: hist user\n";
print " Displays the user shell history with timestamp. The output is similar \n";
print " to that displayed by the 'history -t' command. The default user is the\n";
print " user running the program. To view the history of another user, you must\n";
print " run the program as the root user.\n";
exit 1;
}

1. Ensure that program is run as root to read another user's .sh_history

#

---

if ($user ne @_[0]) {
chop($asUser=`whoami`); # Chop to remove the newline
if ($asUser ne "root") {
print "WARNING: hist program must be run as root to read the .sh_history\n";
print " of another user.\n";
exit 1;
}
}

1. Determine the location of the home directory

#

---

@pass=getpwnam($user); # Get /etc/passwd details in array
$userDir=@pass[7];

if (@pass[0] eq "") {
print "User, $user, no longer exists, ";
if ( -e "/home/$user/.sh_history") {
print "but home directory is present.\n";
} else {
print "and no home directory.\n";
exit 2;
}
}

1. Read and output the .sh_history file

#

---

$histFile="$userDir/.sh_history";
if (! -e $histFile) {print "$userDir/.sh_history not found"; exit 3;};
open(HIST, "<$histFile");
while (<HIST>) {
chop; # Chop the newline
$cnt++;
s/\0//g; # Remove nulls
@fld=/(^\0+)$delim_1(.*)$delim_2/; # Split line at delimiters
if ($#fld == 1) { # Two fields
($sec, $min, $hr, $dd, $mon, $yr, $wday, $yday, $isd)=localtime($fld[1]);
printf("%-8d", $cnt);
printf("%02d/%02d/%04d %02d:%02d:%02d :: ",$dd,$mon+1,1900+$yr,$hr,$min,$sec);
printf("$fld[0]\n");
} else {
if ($_ eq "") {next;} # Skip null string lines
printf("%-27d :: ", $cnt);
print "$_\n";
}
}

Originally posted by: JoachimB

I tried to modify the script so it would take a filename as an argument rather than a user name ... but I failed.

Anybody with some advise?

 

Here is my modified code:

 

#!/usr/bin/perl

# @(#)hist - Processes the command history list of any file - GLS 02/10/2008, JB 22/07/2014


#=============================================================================#
# hist Display the history of a user; similar output to history command       #
#                                                                             #
# Usage: hist hist_file                                                       #
#                                                                             #
# Created: G L Spencer 02/10/2008, modified by JB 22.07.2014                  #
#                                                                             #
#=============================================================================#

#  Initialization

$delim_1="#" . chr(0336) . "#"; # Initial delimiter in .sh_history
$delim_2="#" . chr(0337) . "#"; # Final delimiter in .sh_history

#   Determine the file requested

$histFile=@ARGV[0];


#    Read and output the .sh_history file

if (! -e $histFile) {print "$userDir/.sh_history not found"; exit 3;};
open(HIST, "<$histFile");
while (<HIST>) {
chop; # Chop the newline
$cnt++;
s/\0//g; # Remove nulls
@fld=/(^\0+)$delim_1(.*)$delim_2/; # Split line at delimiters
if ($#fld == 1) { # Two fields
($sec, $min, $hr, $dd, $mon, $yr, $wday, $yday, $isd)=localtime($fld[1]);
printf("%-8d", $cnt);
printf("%02d/%02d/%04d %02d:%02d:%02d :: ",$dd,$mon+1,1900+$yr,$hr,$min,$sec);
printf("$fld[0]\n");
} else {
if ($_ eq "") {next;} # Skip null string lines
printf("%-27d :: ", $cnt);
print "$_\n";
}
}

 

 

Originally posted by: YannickBergeron

Here is something that seems to work

 

#!/usr/bin/perl

use strict;
use POSIX;

my $history_file = $ARGV[0];
if (! $history_file || ! -e $history_file ) {
  print 'Usage: '.$0.' { history_file }'."\n";
  exit(1);
}

my $delim_1='#'.chr(0336).'#';
my $delim_2='#'.chr(0337).'#';

open(FH, $history_file);
while (my $line = <FH>) {
  my $cmd;
  my $timestamp;
  chomp($line);
  $line =~ s/\0//g;
  if ($line =~ m/(.*)$delim_1(.*)$delim_2(.*)/) {
    ($cmd, $timestamp) = ($1, $2);
  }
  else {
    $cmd = (' ' x 20).$line;
  }
  print ($timestamp ? strftime('%Y/%m/%d %H:%M:%S ', localtime($timestamp)) : '');
  print $cmd . "\n";
}
close(FH);

Originally posted by: JoachimB

Yannick, thank you.

I confirm it works perfectly. 

Originally posted by: SystemAdmin

Oops! This may be more useful.

Originally posted by: SystemAdmin

very useful, thanks

Originally posted by: Kumar-

Hi,

please explain the way to use the script. cant get how to extract the information using it.