Is there a way to prevent users from changing or unset their HISTFILE variable?
 

'readonly HISTFILE'

but the user could tamper with the histfile itself. Like:
rm -f $HISTFILE;
rm -f $HISTFILE; mkdir $HISTFILE;
rm -f $HISTFILE; ln -s /dev/null $HISTFILE;

I'm experimenting with PROMPT_COMMAND to execute a command each time the user executes a command and so log it somewhere else...


//This post was pruned from the 2009 Is there a way to prevent users from changing or unset their HISTFILE variable? thread. Please do not resurrect old threads but instead create your own (and maybe provide a link to the old one).

No you can't prevent this, because it isn't intended to be an audit device (they can just unset the variable). And unless you severely limit them, they could easily run an alternate shell anyway.

If you want to audit them properly, use a package like acct/psacct.

Actually that was not a real question,
I was just answering and old open thread.

The problem with psacct is that I dont care which process the user ran or how much memory or cpu it consumed but WHAT the process did. The difference between rm -fr ~/* and rm -fr /*.


LD_PRELOAD does this more or less, and if the user opens an alternate shell I will see it in the history and know he did something suspicious.

I tried pam_tty_audit, but did not get very far. I could only get it to log logins, not commands.