The history command returns the latest 1000 executed commands, and the file .bash_history stores 2000 entries.
We can override the default behavior by adding the following to .bashrc to store unlimited command history for a particular user.
export HISTFILESIZE=
export HISTSIZE=
But, how can we maintain and limit the history for the last 30 days for all users on a system?
To maintain and limit the history of last 30 days we can use either cronjob or schedule task
For cronjob
Open the cronjob editor by using
cronjob -e
After this add a line to execute it by using
0 0 * * * /bin/bash -l -c ‘history | grep “$(date -d “30 days ago” “+%Y-%m-%d”)” > ~/history_log_30_days.txt’
Here,
\bin\bash -l -c represent the shell is in login state and -c represent the no of count that is no of days we want grep command here searches and saves the history command for 30 days which include date month and year and it will create .txt file which consist of history of last 30 days in linux machine.Save the cron job editor and exit.
And how can we include the history for all users on the system?
In system wide shell configuration i.e. at /etc/profile or /etc/bash.bashrc
Add
HISTTIMEFORMAT="%F %T "
HISTFILESIZE=3000
HISTSIZE=1000
And run a cronjob to clear in memory history and add to history file.
0 0 * * * /bin/bash -c ‘export HISTFILE=/root/.bash_history && history -c && history -w’
there are multiple ways to approach this depending on your system and preferences. One of the approach we can consider is using the logrotate utility, which is commonly used for managing log files but can be adapted for managing command history files as well.
so if logrotate is there in our/your system well and good if it is not there in your system then install it .
sudo apt-get install logrotate # (For Debian/Ubuntu) i do use ubuntu so
sudo yum install logrotate # (For CentOS/RHEL)
Create a logrotate configuration file and schedule using cron: Add the following lines to the global bash configuration file (/etc/bash.bashrc ):
Create a new configuration file, for example, /etc/logrotate.d/history :
/home//._history {
daily
missingok
rotate 30
compress
notifempty
create 0600 root root
dateext
dateformat -%Y-%m-%d
}
This configuration will rotate history files in user home directories daily, keeping the last 30 days of history and we can Adjust the path and options according to our preferences.
we can test the log rotation without waiting for the cron job by running:
logrotate -d /etc/logrotate.conf
OR
We can do it by another way also
By Update Bash Configuration for All Users
After it Create a Cleanup Script in a form which will clean up the command history file, keeping only entries from the last 30 days.
Schedule the cleanup script to run regularly using a cron job.
and Save the file if i am not wrong i think so, and cron will automatically run the cleanup script at the specified intervals.
We can use the system audit framework. The steps can vary depending on the distribution.
For Redhat or CentOS
sudo yum install audit
On Debian or Ubuntu
sudo apt-get install auditd
Enable and start auditd services
sudo systemctl enable auditd
sudo systemctl start auditd
Create a rule file
/etc/audit/rules.d/audit.rules
and add the following rule to capture command executions:
-a always,exit -F arch=b64 -S execve -k command_executed
-a always,exit -F arch=b32 -S execve -k command_executed
Restart auditd to apply the rules
sudo systemctl restart auditd
Retrieve audit logs for last 30 day, this command will display detailed information about executed commands, including the command itself.
sudo ausearch -k command_executed --start recent -i