With the amount of local user access and / or offshoring, tracking the command history has become a difficult process for Security administrators and Auditors. As Users have become more active in setting up personal profiles and remove tracking from their local history, this just creates one more vector that has to be address to reduce risk.
By changing the global profile and setting up the default parameters for all shell history logging a Security administrator can reduce the risk of forensics from disappearing. Making the change at the global profile level prevents the User from making changes to their local profile and in effect keeping one standard for history log naming structure. One location to retrieve history files back to the central tracking system.
Simple changes to an overlooked tool will add a unique layer of hardening to a system that most hackers will not be able to reverse or cleanup without leaving one foot-print. This process creates a unique history file each time the User logs into the system or escalates there privilege.
When user Lenz form her notebook executes ssh s.lenz@ozusNim02 it will create a unique log file in /var/History with the structure of ozusnim02-s.lenz_sh_history-20120410_14:33:08-s.lenz-10.1.250.198-pts/3.
The file is active while the user is logged in so she can review history commands during the session. If she escalates to root the file with change to reflect that this user has run sudo or su as the root user will be added and a new time stamp is added ozusnim02-root_sh_history-20120410_14:41:20-s.lenz-10.1.250.198-pts/3.
When the user exits the higher privilege the current history session is still in effect and will continue to capture commands.
With the central logging server polling every minute to high value targets the Security and Audit team will have another holistic vector to secure the business.
Like all things in Security this is just another layer to reduce risk, help in forensics and capture the bad guys.