I am using rlwrap to give command history to sqlplus/rman/etc on a linux server. I can see the command history files such as .sqlplus_history being generated and because these are plain text files that could possible contain passwords, e.g. if a user enters 'connect username/password' inside of sqlplus, there is a security risk to keeping them indefinitely.
Is there an easier way then some kind of cron job that would remove the logs at regular intervals?
I was hoping for some kind of keywords that would trigger the removal of the log such as if the 'exit' or 'quit' commands are read the user leaves sqlplus and the .sqlplus_history log is removed. Is anything like this possible?
rlwrap has many options to keep command lines out of the history list (and hence out of the history file), although not exactly in the way you describe (which I would not find as useful anyway)
rlwrap --forget-matching connect sqlplus will not remember any input lines that contain the string connect rlwrap --histsize -3000 will treat the history file as read-only (the password will still be visible in the history, but it will not be written to a file)CTRL+O will keep this particular line out of the history list. (This action can be re-bound to another key, see the manpage)For a really fancy password censor, one could write a filter censor_passwords like this:
#!/usr/bin/env perl
use lib ($ENV{RLWRAP_FILTERDIR} or ".");
use RlwrapFilter;
use strict;
my $filter = new RlwrapFilter;
$filter -> help_text("This filter removes the password from SQL 'identified by' clauses\n");
$filter -> history_handler(sub { s/(identified\s+by\s+)(\S+)/$1 xXxXxXxX/ig; $_});
$filter -> run;
.. and then use it like rlwrap -z censor_passwords sqlplus.
Any input containing IDENTIFIED BY yd6e7#te6 will then be remembered as IDENTIFIED BY xXxXxXxX