I work for a company that offers users access to the unix shell. This has always been somewhat of a problem, because of users hacking, or abusing the shell in other ways, and then hiding their tracks by deleting their .bash_history. There are other ways to see what they've done -- true -- but the .bash_history is the easiest way by far. There are also ways to avoid having your commands appear in the .bash_history, but people don't usually know about them or don't worry because they plan to delete the file anyways.
To protect against this, what I've done is modified the rm binary to make it so that when a .bash_history is deleted, it instead becomes backed up to a secret location. The elegance of my solution is the fact that the user is unsuspecting. The file looks deleted to them, and they have no idea it has actually been copied before being deleted. The person feels they've covered their tracks, but you know better. Really this could be easily modified to be any file or files you want instead of .bash_history.
The "Remove a file. POSIX" etc, header there is placemarker so you can find the place in your rm.c if you choose to make these changes. The other section which is its own function can be placed anywhere as long as it's not embedded in another function. It is probably easiest to drop it at the bottom of the source. Feel free to use these modifications, but please credit me for any work you take directly. It's simple code, but a very useful concept.
/*
* Remove a file. POSIX 1003.2 states that, by default, attempting
* to remove a directory is an error, so must always stat the file.
*/
/* Find out the current user's name */
char *f, newf[1000], *usern;
usern=getenv("USER");
/* Normal code */
while ((f = *argv++) != NULL) {
/* Check to see if it's a .bash_history being deleted*/
if (strcasecmp(f, ".bash_history") == 0) {
/*
* If it is, run copy function which will backup the .bash_history
* The /var/spool/tmp directory can be changed to wherever you'd
* like the backups to go.
*/
sprintf(newf, "/var/spool/tmp/bh.%s", usern);
copyfile(f, newf);
}
/* Back to normal code */
/* Assume if can't stat the file, can't unlink it. */
/* Back up the old .bash_history */
void copyfile(char *oldfile, char *newfile) {
FILE *new;
FILE *old;
/* Open the old file and new file */
if ((old = fopen(oldfile, "r")) != NULL) {
if ((new = fopen(newfile, "a")) != NULL) {
/* Loop through character at a time, copying the .bash_history */
while (!feof(old))
fputc(fgetc(old), new);
/* Then close up everything */
fclose(new);
}
fclose(old);
}
}
Note: As per the title, this will protect against deleted .bash_historys. No more, no less.