Bash history was a convenience feature to help a user recall previous commands and not intended to meet any security requirements.
The Linux audit system (or alternate kernel level audit OS facility) is a more robust way to ensure user and process log events are recorded.
Two main security issues are:
-
The user / owner of the bash process is able to overwrite or delete the
.bash_history
file. -
There are a number of ways to hide activity by:
- executing alternate shells.
- using programs that support commands (vim?).
- modifying shell options (
set +o history
).
There are other concerns about default bash history settings (which may be vary across distributions).
Common default | Potential "fixes" in bashrc |
Note |
---|---|---|
History size is often conservative, e.g. only 1000 lines | HISTSIZE=10000 |
10000 command lines used in history search |
HISTFILESIZE=100000 |
command lines kept in history file (can be bigger than search) | |
The default bash history file setting doesn't include time stamp | HISTTIMEFORMAT='%F %T' |
The timestamp is saved as a Unix epoc, while this defines how it is displayed with history |
Multiple running shells will overwrite the history file loosing commands executed in other shells | shopt -s histappend |
|
If the shell is killed, the command history is lost | PROMPT_COMMAND="history -a;$PROMPT_COMMAND" |
make bash write history after each command instead of waiting for the exit |
HISTCONTROL=ignoreboth avoids logging commands with a space or duplication |
unset HISTCONTROL |
However, duplicated commands will affect how effective command history is cached and ignoring a command with a space is a useful mitigation when commands include secrets in the arguments (e.g. a password) |
Commands split on multiple lines may be hard to grep or parse later | shopt -s cmdhist |
remove \ to avoid splitting into multiple lines |
/etc/bashrc
can be used to:
- Set
PROMPT_COMMAND
to callhistory -a
and lock it withdeclare -r PROMPT_COMMAND
- Add a trap function so that
logger
is used to record bash history to syslog system-wide
This will prevent non-root users from modifying PROMPT_COMMAND
. But other tricks can subvert it
set +o history
disables history- There may be hacky ways to unset it like attaching gdb to the current shell and unbinding the variable.
As already mentioned, some programs take arguments for passwords or security tokens, and these could be inadvertently exposed by logging.
In bash v4.1 release notes:
There is a new configuration option (in config-top.h) that forces bash to forward all history entries to syslog.
However, this is a compile time option.
TODO:
- Find out about affect (if any on scripting). Doubtful. I assume this only impacts interactive terminals.
- Add example of how to patch (uncomment this) and install and compile from Debian/CentOS source packages.
TODO:
- Look into how one might correlate bash and alternate shell commands to events in Linux audit logs.
Thanks for this gist 🎉, if you allow me to do a suggestion, here is it:
typeset
is supplied for compatibility with the Korn shell, so better usedeclare