If you've ever wanted to see the command history for a currently running bash process, BashSnoop can assist with this. This tool has the ability to write a bash processes command history that currently resides only memory to a file. This is useful for "catching" the bash history of potentially malicious SSH sessions, where the logs otherwise would not have been recorded by the user clearing the sessions bash history before their final session exit.
if [ ! -f '/etc/yum.repos.d/ssullivanorg.repo' ] ; then cat << 'EOF' > /etc/yum.repos.d/ssullivanorg.repo [ssullivanorg-generic_noarch] name=Generic packages baseurl = http://repos.ssullivan.org/redhat/generic/noarch/ enabled=1 gpgcheck=0 [ssullivanorg-6_x86_64] name=EL6 packages baseurl = http://repos.ssullivan.org/redhat/6/x86_64/ enabled=1 gpgcheck=0 EOF fi yum clean all yum install bash-snoop
Save all current bash processes bash histories to a file @ /var/cache/BashSnoop/$pid.bash_history:
Save history of just bash process with PID 1986 @ /var/cache/BashSnoop/1986.bash_history