Is there a way to prevent users from changing or 'unset'ting their HISTFILE variable?



TIA

Users usually use the following to remove all traces of their activity

killall -9 syslogd klogd (kill loggers)
unset HISTFILE (stop .bash_history records)
I see that logs are usually stored in /var/log/messages and /var/log/secure

This doesn't mean you can't have the logs sent to another box or to a printer, etc through a background process.

So if you don't find a way to prevent users to unset their HISTFILE then I recommend you backup(dump) the HISTFILE value every now and then and if it is unset you will have the backup which you can check for more info.

Thanks, I'm talking about for an underprivileged user though.

They shouldn't be able to stop the syslogs.

In general, there is no way of stopping users from changing their own shell variables including HISTFILE.

Would this work?
Are there any others?

No. chmod works on files butfpmurphy is right, even the restricted shell doesn't restrict changing HISTFILE. Bash' history mechanism is a convenience for the user. It was not designed as an audit trail and cannot be effectively used as one. If you want to track what commands your users are running, you will have more success with a tool designed for the job.

Wow, I didn't even know there were shell builtins, I always thought it was /bin/unset or something. I just double checked, and you are right.

I am assuming the shell builtin override whats in $PATH, correct?

Correct. See the Gnu Bash Reference's Command Search and Execution section for the full story.