On 08/08/2012 11:34 AM, Brian Mathis wrote: > Capturing history files is error-prone and a very bad way to approach > this problem. You should instead look into using process accounting, > provided by the psacct package. You can read about it here: > http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html +1 bash_history is not a log for the admin, it's a convenience for the user. Users who want to hide their tracks can unset HISTFILE or switch to a different shell. Process accounting is the only solution that's even remotely reliable.