Sunday, March 13, 2016

Timestamping history

Being an incident response person means sometimes you are also asked some help for troubleshooting things. The other day I was looking at a config and wanted to know what the sysadmin did on his Linux box before calling me in.

After I helped him (it was a typo in a config file) I told him something I only learned half a year ago but I think is pretty handy. You can actually timestamp the commands in the history file.

The magical line is :
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
I also put it in my Dockerfile with the following instruction:

1 comment:

Xme said...

Nice tip!

By default (I only checked on Ubuntu), there are other variables defined. Those ones may have an impact on future investigations:

# don't put duplicate lines in the history. See bash(1) for more options
# ... or force ignoredups and ignorespace

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)