Home > Enterprise Linux Tips > Administrator > Shell game: Managing Bash command history
Enterprise Linux Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

ADMINISTRATOR

Shell game: Managing Bash command history


James Turnbull
09.27.2006
Rating: -3.00- (out of 5)


Enterprise Linux headlines
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


The Bash shell is the default shell environment in most Linux distributions, including all flavours of Red Hat. One default feature of the Bash shell is to record a history of all the commands entered by a user in a log file called .bash_history, found in the user's home directory.

The history in this file can be retrieved from the command line using the or binaries or by using the internal Bash command, . For many users, it is useful to retrieve the previously executed commands, usually to save the effort of re-typing them.

So why might we want to limit or disable this Bash command history? Well, among the commands that your users type are file names, command names, IP addresses, passwords and a myriad of other data that are potentially valuable to an attacker intent on subverting or compromising your host. Keeping a record of this data means an attacker may only need to compromise an individual .bash_history file rather than a more difficult source of data.

To limit the size and behaviour of the .bash_history file, you need to edit the behavior of the shell in the /etc/profile file (the central version of the .bash_profile file usually contained in users home directories). Add or change the following three lines to the file:

The first two lines set the length and size of the history stored in the file. The last line unsets the HISTFILE variable that tells the Bash shell not to save history when the user logs out of the interactive session. This means...


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


an online user will only be able to see the history of the last 100 commands, and that history will disappear after the user logs out of the host.

A further way to ensure the command history is removed is to include a command in the .bash_logout file (other shells use the .logout file). The contents of the .bash_logout file are executed when the user logs out. You can see a simple .bash_logout file on the following lines:

The rm command will remove the .bash_history file from the users home directory when the user logs out. To add this to the file you can edit the .bash_logout file contained in the /etc/skel directory (the contents of this directory are copied to the home directories of all new users when they are created). Existing users will need the .bash_logout files in their home directories adjusted to add the command.

There is, however, one gotcha associated with this change, and that is that if an attacker has compromised your host, then the history of their actions might not be recorded. Of course, any talented attacker will use other means (including this exact method and others like the deletion or editing of log files) to remove that history.

James Turnbull is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.

Rate this Tip
To rate tips, you must be a member of SearchEnterpriseLinux.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Enterprise Linux Web Server & Application Server
HomeNewsTopicsITKnowledge ExchangeTipsBlogsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts