History is a common command for shell to list out all the executed commands. It is very useful when it comes to investigation on what commands was executed that tear down the server. With the help of last command, you be able to track the login time of particular user as well as the the duration of the time he/she stays login.
last ... mysurface tty7 :0 Mon Oct 6 20:07 - down (00:00) reboot system boot 220.127.116.11-64.fc8 Mon Oct 6 20:06 (00:00) mysurface pts/8 10.168.28.44 Mon Oct 6 17:42 - down (01:58) mysurface pts/7 :0.0 Mon Oct 6 17:41 - 19:40 (01:59) mysurface pts/6 :0.0 Mon Oct 6 17:27 - 19:40 (02:13) mysurface pts/5 :0.0 Mon Oct 6 17:27 - 19:40 (02:13) mysurface pts/5 :0.0 Mon Oct 6 15:52 - 15:59 (00:07) ...
If the command line history could provides the date time of the commands being executed, that may really narrow down the scope of the user actions that cause the server malfunction. By default, history do not append with timestamp, but it is easy to configure it to display timestamp, you just need to set one environment variable HISTTIMEFORMAT.
HISTTIMEFORMAT takes format string of strftime. Check out the strftime manual to choose and construct the timestamp that suit your taste. My favorite is “%F %T “.
export HISTTIMEFORMAT="%F %T "
Execute history again and you will see the effect on the spot, bare in mind that the timestamp for command lines that executed at previous sessions may not valid, as the time was not tracked.
... 994 2008-10-16 02:27:40 exit 995 2008-10-16 01:12:20 iptables -nL 996 2008-10-16 01:47:46 vi .bash_profile 997 2008-10-16 01:47:55 history 998 2008-10-16 01:48:03 . .bash_profile 999 2008-10-16 01:48:04 history 1000 2008-10-16 01:48:09 exit 1001 2008-10-16 02:27:43 history ...
I would suggest you to put the export into ~/.bash_profile as well as /root/.bash_profile. In case you do not have .bash_profile, you can choose to put into ~/.bashrc.
Don’t mess up my servers! Your actions will be track!