Introduction
Whenever access is granted to cPanel support through a ticket, our automated ticket system initiates an SSH session with the server. As a part of the automated process of initiating the SSH session, our system will ensure that all of the commands that an Analyst or Engineer runs will be saved to a history file of a specific name within the root user's home directory. You may use the following command to view the bash history of one of our Analysts or Engineers to see what actions were taken on your server via SSH. This can be a great way to learn more about what kinds of commands and scripts analysts use to troubleshoot issues. This can also serve as a way to audit changes if you want to know if a particular change was performed by an analyst while they were logged into your server.
Procedure
Method #1: Viewing the Raw Bash History Files
- Login to the server via SSH or Terminal as the root user
- Issue the following command to list all of the bash history files for the analysts who have worked on the server:
ls -lah /root/.bash_history.cpanel_ticket*
NOTE: You'll notice that each history file contains the ticket ID that it is associated with in the filename. - Use the less command to view the file of your choice
Method #2: Use an Awk command to format the files into a human readable format:
- Login to the server via SSH or Terminal as the root user
- Issue the following command to list all of the bash history files for the analysts that have worked on the server:
ls -lah /root/.bash_history.cpanel_ticket*
NOTE: You'll notice that each history file contains the ticket ID that it is associated with in the filename. - Use the following command to format the file of your choice. Be sure to replace FILENAME at the end of the command with the history file you would like to view:
awk -F\# '/^#1[0-9]{9}$/ { if(cmd) printf "%s %s\n",ts,cmd; ts=strftime("%F %T",$2); cmd="" } !/^#1[0-9]{9}$/ { if(cmd)cmd=cmd "\n" $0; else cmd=$0 }' FILENAME
Method #3 Use a script to automate the process of finding and formatting the files
- Login to the server via SSH or Terminal as the root user
- Create the script file with the following command:
touch /root/cPanelBashHistoryTool.sh
- Make the file executable:
chmod +x /root/cPanelBashHistoryTool.sh
- Open the file with the text editor of your choice
- Copy the below script into the file:
#!/bin/bash
RED='\033[0;31m'
NC='\033[0m'
echo
find /root/ -type f -name ".bash_history.cpanel_ticket*" | grep -v "humanreadable" |
while read histpath
do
echo
ticketID=$(echo $histpath | sed 's/\/root\/.bash_history.cpanel_ticket.//')
humanReadable="$histpath-humanreadable"
printf "${RED}FOUND${NC}: %s\n" $histpath
printf "${RED}TicketID${NC}: %s\n" $ticketID
echo "Generating Human Readable Version..."
awk -F\# '/^#1[0-9]{9}$/ { if(cmd) printf "%s %s\n",ts,cmd; ts=strftime("%F %T",$2); cmd="" } !/^#1[0-9]{9}$/ { if(cmd)cmd=cmd "\n" $0; else cmd=$0 }' $histpath > $humanReadable
printf "${RED}HumanReadablePath${NC}: %s\n" $humanReadable
echo "Use the following command to view the human readable version:"
echo "less $humanReadable"
done
echo
echo "Script Finshed." - Run the script and then review the output to see the paths to the human readable files that were generated:
bash /root/cPanelBashHistoryTool.sh
