Shell game: Managing Bash command history

Limiting or disabling the Bash command history can prevent attackers from gaining access to passwords, IP addresses and other valuable data and compromising your host.

The Bash shell is the default shell environment in most Linux distributions, including all flavours of Red Hat. One default feature of the Bash shell is to record a history of all the commands entered by a user in a log file called .bash_history, found in the user's home directory.

More security tips:
The Linux desktop: Browser and distro security tips

Passphrases instead of passwords on Red Hat, part 1

The history in this file can be retrieved from the command line using the more or cat binaries or by using the internal Bash command, history. For many users, it is useful to retrieve the previously executed commands, usually to save the effort of re-typing them.

So why might we want to limit or disable this Bash command history? Well, among the commands that your users type are file names, command names, IP addresses, passwords and a myriad of other data that are potentially valuable to an attacker intent on subverting or compromising your host. Keeping a record of this data means an attacker may only need to compromise an individual .bash_history file rather than a more difficult source of data.

To limit the size and behaviour of the .bash_history file, you need to edit the behavior of the shell in the /etc/profile file (the central version of the .bash_profile file usually contained in users home directories). Add or change the following three lines to the file:

export HISTSIZE=100
export HISTFILESIZE=100
unset HISTFILE

The first two lines set the length and size of the history stored in the file. The last line unsets the HISTFILE variable that tells the Bash shell not to save history when the user logs out of the interactive session. This means an online user will only be able to see the history of the last 100 commands, and that history will disappear after the user logs out of the host.

A further way to ensure the command history is removed is to include a command in the .bash_logout file (other shells use the .logout file). The contents of the .bash_logout file are executed when the user logs out. You can see a simple .bash_logout file on the following lines:

# ~/.bash_logout

/bin/rm -f $HOME/.bash_history
clear

The rm command will remove the .bash_history file from the users home directory when the user logs out. To add this to the file you can edit the .bash_logout file contained in the /etc/skel directory (the contents of this directory are copied to the home directories of all new users when they are created). Existing users will need the .bash_logout files in their home directories adjusted to add the command.

There is, however, one gotcha associated with this change, and that is that if an attacker has compromised your host, then the history of their actions might not be recorded. Of course, any talented attacker will use other means (including this exact method and others like the deletion or editing of log files) to remove that history.

James Turnbull is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.


This was first published in September 2006
This Content Component encountered an error

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close