Thursday, March 20, 2014

Shell history: Set HISTTIMEFORMAT to save & see when you executed commands

this is a really useful setting that I didn't know about until a couple years ago.

HISTTIMEFORMAT='%F %T '

So used to it now, I get annoyed when I create a new account/login and don't have it.

Why:  ability to correlate system artifacts with commands.
There's a file here, when/how did I create it?
Now in the shell, 'history' will show the time of commands; which may help you track down when you created (or deleted) a file, etc.

Some issues:

  • if you start a new shell, and it ends after this one, $HISTFILE can get overwritten.
    Problem if you like to have lots of shells & windows at the same time.
  • after a while, with a lot of history, only the last $HISTSIZE (or HISTFILESIZE) commands will be saved.
  • your $HISTFILE contains unix epoch times, so not easily read or grep'd directly.
    (However, you can easily save and load with history -w / -r )
  • recorded time is not retroactive.  All previous commands prior will have the time when you first set HISTTIMEFORMAT, so start today!
I have solutions to most of these, so each of my screen windows have their own history, also emacs, xterm shells,  and a per-directory history as well.
How many commands?  121859 (just one system, my main laptop last 2.5 years usage),
this doesn't count a few other development systems.

Seems like a lot, but that's only ~133 commands per day average.


... So what is the ideal system audit trail ?

No comments: