bash-snoop

All software on this website is free software. If you find value in any of my projects or technical articles, please consider a donation to ensure continued development and updates.


Summary

If you've ever wanted to see the command history for a currently running bash process, BashSnoop can assist with this. This tool has the ability to write a bash processes command history that currently resides only memory to a file. This is useful for "catching" the bash history of potentially malicious SSH sessions, where the logs otherwise would not have been recorded by the user clearing the sessions bash history before their final session exit.

Installation:


CentOS/RHEL:


if [ ! -f '/etc/yum.repos.d/ssullivanorg.repo' ] ; then
  cat << 'EOF' > /etc/yum.repos.d/ssullivanorg.repo 
[ssullivanorg-generic_noarch]
name=Generic packages
baseurl = http://repos.ssullivan.org/redhat/generic/noarch/
enabled=1
gpgcheck=0

[ssullivanorg-6_x86_64]
name=EL6 packages
baseurl = http://repos.ssullivan.org/redhat/6/x86_64/
enabled=1
gpgcheck=0
EOF
  fi
yum clean all
yum install bash-snoop
  

Usage

Save all current bash processes bash histories to a file @ /var/cache/BashSnoop/$pid.bash_history:


bash-snoop -all
  
Save history of just bash process with PID 1986 @ /var/cache/BashSnoop/1986.bash_history

bash-snoop 1986
  

Feature Requests/Bug Reports

Please send feature requests and bug reports to scottgregorysullivan at gmail.com. Or, open an issue on GitHub.