https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164323#M7333 <P>The following script can be run on a Gaia system to provide a log of all Clish entries from all users.</P><P>You can also use the script repository in Smart Console.</P><P>Observations:</P><UL><LI>The Clish history file is written upon logout of the session, so if a command crashes the system it could not be logged, nor does it log commands being entered by an active user</LI><LI>There's no timestamps that I know of for individual commands</LI><LI>The script will cycle through UID and collect the Clish history from each one. Some Check Point services have UID above 102 but don't use clish, so they will still appear in the report</LI><LI>I'm including the base64 below to use in your favourite launcher</LI><LI>Only tried on R81.10</LI></UL><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">#!/bin/bash echo "Clish history for $(hostname)" printf "\n" readarray -t user_index &lt; &lt;(cat /etc/passwd | awk -F: '{user_id=$3+0; if(user_id==0 || user_id &gt; 102) {print $1}}' | grep -v root) declare -p user_index &gt;/dev/null for i in ${user_index[@]} do if test -f /home/$i/.clish_history; then echo "User $i, last modified on $(ls -l /home/$i/.clish_history | awk '{print $6, $7}')" cat /home/$i/.clish_history else echo "No clish entries for user $i" fi printf "\n" done</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Base64</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">IyEvYmluL2Jhc2gKCmVjaG8gIkNsaXNoIGhpc3RvcnkgZm9yICQoaG9zdG5hbWUpIgpwcmludGYgIlxuIgoKcmVhZGFycmF5IC10IHVzZXJfaW5kZXggPCA8KGNhdCAvZXRjL3Bhc3N3ZCB8IGF3ayAtRjogJ3t1c2VyX2lkPSQzKzA7IGlmKHVzZXJfaWQ9PTAgfHwgdXNlcl9pZCA+IDEwMikge3ByaW50ICQxfX0nIHwgZ3JlcCAtdiByb290KQpkZWNsYXJlIC1wIHVzZXJfaW5kZXggJj4vZGV2L251bGwKCmZvciBpIGluICR7dXNlcl9pbmRleFtAXX0KZG8KaWYgdGVzdCAtZiAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeTsgdGhlbgplY2hvICJVc2VyICRpLCBsYXN0IG1vZGlmaWVkIG9uICQobHMgLWwgL2hvbWUvJGkvLmNsaXNoX2hpc3RvcnkgfCBhd2sgJ3twcmludCAkNiwgJDd9JykiCmNhdCAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeQplbHNlCmVjaG8gIk5vIGNsaXNoIGVudHJpZXMgZm9yIHVzZXIgJGkiCmZpCnByaW50ZiAiXG4iCmRvbmUK</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The output will be something like this.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Clish history for &lt;hostname&gt; User admin, last modified on Dec 6 installer check-for-updates lock database override installer check-for-updates show installer status exit No clish entries for user postfix User &lt;user removed&gt;, last modified on Dec 6 show dns expert show asset networ show asset network exit User &lt;user removed&gt;, last modified on Dec 6 show config-lock show ntp servers exit No clish entries for user cp_postgres No clish entries for user cp_extensions No clish entries for user cpep_user</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Smart Console</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clish.png" style="width: 692px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18657i548EA0E73C9E35CB/image-size/large?v=v2&amp;px=999" role="button" title="clish.png" alt="clish.png" /></span></P> Wed, 07 Dec 2022 11:27:12 GMT Alex- 2022-12-07T11:27:12Z https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164323#M7333 <P>The following script can be run on a Gaia system to provide a log of all Clish entries from all users.</P><P>You can also use the script repository in Smart Console.</P><P>Observations:</P><UL><LI>The Clish history file is written upon logout of the session, so if a command crashes the system it could not be logged, nor does it log commands being entered by an active user</LI><LI>There's no timestamps that I know of for individual commands</LI><LI>The script will cycle through UID and collect the Clish history from each one. Some Check Point services have UID above 102 but don't use clish, so they will still appear in the report</LI><LI>I'm including the base64 below to use in your favourite launcher</LI><LI>Only tried on R81.10</LI></UL><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">#!/bin/bash echo "Clish history for $(hostname)" printf "\n" readarray -t user_index &lt; &lt;(cat /etc/passwd | awk -F: '{user_id=$3+0; if(user_id==0 || user_id &gt; 102) {print $1}}' | grep -v root) declare -p user_index &gt;/dev/null for i in ${user_index[@]} do if test -f /home/$i/.clish_history; then echo "User $i, last modified on $(ls -l /home/$i/.clish_history | awk '{print $6, $7}')" cat /home/$i/.clish_history else echo "No clish entries for user $i" fi printf "\n" done</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Base64</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">IyEvYmluL2Jhc2gKCmVjaG8gIkNsaXNoIGhpc3RvcnkgZm9yICQoaG9zdG5hbWUpIgpwcmludGYgIlxuIgoKcmVhZGFycmF5IC10IHVzZXJfaW5kZXggPCA8KGNhdCAvZXRjL3Bhc3N3ZCB8IGF3ayAtRjogJ3t1c2VyX2lkPSQzKzA7IGlmKHVzZXJfaWQ9PTAgfHwgdXNlcl9pZCA+IDEwMikge3ByaW50ICQxfX0nIHwgZ3JlcCAtdiByb290KQpkZWNsYXJlIC1wIHVzZXJfaW5kZXggJj4vZGV2L251bGwKCmZvciBpIGluICR7dXNlcl9pbmRleFtAXX0KZG8KaWYgdGVzdCAtZiAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeTsgdGhlbgplY2hvICJVc2VyICRpLCBsYXN0IG1vZGlmaWVkIG9uICQobHMgLWwgL2hvbWUvJGkvLmNsaXNoX2hpc3RvcnkgfCBhd2sgJ3twcmludCAkNiwgJDd9JykiCmNhdCAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeQplbHNlCmVjaG8gIk5vIGNsaXNoIGVudHJpZXMgZm9yIHVzZXIgJGkiCmZpCnByaW50ZiAiXG4iCmRvbmUK</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The output will be something like this.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Clish history for &lt;hostname&gt; User admin, last modified on Dec 6 installer check-for-updates lock database override installer check-for-updates show installer status exit No clish entries for user postfix User &lt;user removed&gt;, last modified on Dec 6 show dns expert show asset networ show asset network exit User &lt;user removed&gt;, last modified on Dec 6 show config-lock show ntp servers exit No clish entries for user cp_postgres No clish entries for user cp_extensions No clish entries for user cpep_user</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Smart Console</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clish.png" style="width: 692px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18657i548EA0E73C9E35CB/image-size/large?v=v2&amp;px=999" role="button" title="clish.png" alt="clish.png" /></span></P> Wed, 07 Dec 2022 11:27:12 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164323#M7333 Alex- 2022-12-07T11:27:12Z https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164353#M7334 <P>Huh, I didn’t even realize we tracked clish history.<BR />If you’re looking at auditing what users do, using the AAA functionality might be better as the commands issued are sent by syslog.&nbsp;</P> Tue, 06 Dec 2022 15:39:44 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164353#M7334 PhoneBoy 2022-12-06T15:39:44Z https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164415#M7335 <P>I believe that one of the strengths of Gaia/Titan is that everything is logged or can be set to do so.</P><P>AAA is indeed much better overall for this sort of things, this is just a simple tool for implementations that don't run it and would be interested in CLI user logs in one go.</P> Wed, 07 Dec 2022 11:43:23 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Clishtory/m-p/164415#M7335 Alex- 2022-12-07T11:43:23Z