Вход команд, выполняемых удаленными сценариями оболочки

The .*_history files are modified when you run an interactive shell. In your case, a remote server logs into this box and runs a script and exits process, but does not invoke an interactive shell. Hence no command logging.

Even if this is not a remote server, think about the situation below:

You are at the shell prompt and run these commands in succession

# ls -l
# grep $(whoami) /etc/passwd
# netstat -rn

and when you look back into the shell history, you will see these commands there. Now, put all 3 comands into a shell script and name it as "collect_data.sh", chmod it to make it executable, and execute it by issuing # ./collect_data.sh

when you look back into your shell history, what do you see? Those three command or just ./collect_data.sh? I bet dollars to your pocket lint that, it is the latter.

When you invoke a shell script, regardless of whether it's done local or remote, you are creating a sub-shell, where commands run under. Those shells, being non-interactive, have no way of writing to your history file(s). Of course this is short of recompiling your shell executable in a weird way to allow such activity, but why would anyone do that?

Since you asked this question, I am under the impression that you are thinking something sinister might be happening by someone executing remote commands without you knowing about them. If this is the case, you need help from something like tripwire or alike, auditing applications. Just by looking at shell history, even commands existed there, you can not prove anything.

Hope this helps