Keep write, but remove delete power

[phorbiuz]

During a recent application failure we found that 2 users had removed their $HOME/.sh_history file. We suspect it was these 2 users who caused the fault but we now have no way to prove it.

Obviously these users need write privilege or they can't write their command line history, and obviously giving write also gives delete. Is there any way to enable user write to their history file but prevent it being deleted?

I know even this is a bit poor as they could cat a null file to it, but it's better than nothing.

Thanks.

 

[KenCunningham]

I don't know of a way to do exactly what you wish, but could you copy it (renaming as necessary and adding a unique timestamp) somewhere else on a regular basis to keep an audit record?

Presumably these two users (why two, a joint effort?) are well aware that what they (allegedly) did will automatically put them in the frame for having caused the failure and that they will be monitord on that basis?

The internet - allowing those who don't know what they're talking about to have their say.

 

[MoreFeo]

Maybe using rsync to another system.