bashHistory

bashHistory.py

The bashHistory.py is a python script to parse and convert the bash history with epoch format to human-readable format so that the sysadmin of the Unix/Linux server can easily see who executed as well as when those commands were executed. This is for system audit purpose.

Description

There is a need to reformat the bash history of Unix/Linux server to the following:

Date        time       user_account   command_executed
2020-10-10  11:20:53   kari           exit
2020-10-10  11:19:14   root           cat .bash_history 
2020-10-10  11:19:31   root           echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile

The date and time in the bash history file use epoch format instead of human-readable format. The snapshot below shows how the bash history file looks like. Hence, it's hard to interpret without using a tool.

#1607830262
exit
#1607830263
cat .bash_history
#1607830267
echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile

Pre-requisites

The pre-requisites prior to use this script are as follows:

• Enable the date & time format for bash_history of GNU/Linux server by executing the commands below:

  root@debian-s-1vcpu-1gb-sgp1-01:~# echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile
  root@debian-s-1vcpu-1gb-sgp1-01:~# source /etc/profile
  

• Create a folder to store the output/result file:

  root@debian-s-1vcpu-1gb-sgp1-01:~# mkdir /root/bash_history_parse_result
  

How to use the script

Once the script is executed successfully, it will produce the output file inside the /root/bash_history_parse_result directory. The following syntax shows how to run/execute the script:

Usage: python bashHistory.py

License

© 2020 Askari Azikin (askari.azikin@kawananu.com)