Notes on (ab)using bash history to record commands to syslog

bash_history_to_syslog.md

Logging bash history to syslog

Overview

Bash history was a convenience feature to help a user recall previous commands and not intended to meet any security requirements.

The Linux audit system (or alternate kernel level audit OS facility) is a more robust way to ensure user and process log events are recorded.

Security issues with bash history files and $BASH_COMMAND

Two main security issues are:

• The user / owner of the bash process is able to overwrite or delete the .bash_history file.

• There are a number of ways to hide activity by:

  • executing alternate shells.
  • using programs that support commands (vim?).
  • modifying shell options (set +o history).

There are other concerns about default bash history settings (which may be vary across distributions).

Common default	Potential "fixes" in bashrc	Note
History size is often conservative, e.g. only 1000 lines	HISTSIZE=10000	10000 command lines used in history search
HISTFILESIZE=100000	command lines kept in history file (can be bigger than search)
The default bash history file setting doesn't include time stamp	HISTTIMEFORMAT='%F %T'	The timestamp is saved as a Unix epoc, while this defines how it is displayed with history
Multiple running shells will overwrite the history file loosing commands executed in other shells	shopt -s histappend
If the shell is killed, the command history is lost	PROMPT_COMMAND="history -a;$PROMPT_COMMAND"	make bash write history after each command instead of waiting for the exit
HISTCONTROL=ignoreboth avoids logging commands with a space or duplication	unset HISTCONTROL	However, duplicated commands will affect how effective command history is cached and ignoring a command with a space is a useful mitigation when commands include secrets in the arguments (e.g. a password)
Commands split on multiple lines may be hard to grep or parse later	shopt -s cmdhist	remove \ to avoid splitting into multiple lines

/etc/bashrc can be used to:

• Set PROMPT_COMMAND to call history -a and lock it with declare -r PROMPT_COMMAND
• Add a trap function so that logger is used to record bash history to syslog system-wide

This will prevent non-root users from modifying PROMPT_COMMAND. But other tricks can subvert it

• set +o history disables history
• There may be hacky ways to unset it like attaching gdb to the current shell and unbinding the variable.
  • See stackoverflow: Unset readonly variable in bash.

Commands with secrets?

As already mentioned, some programs take arguments for passwords or security tokens, and these could be inadvertently exposed by logging.

Bash Syslog support

In bash v4.1 release notes:

There is a new configuration option (in config-top.h) that forces bash to forward all history entries to syslog.

However, this is a compile time option.

TODO:

• Find out about affect (if any on scripting). Doubtful. I assume this only impacts interactive terminals.
• Add example of how to patch (uncomment this) and install and compile from Debian/CentOS source packages.

Linux Audit

TODO:

• Look into how one might correlate bash and alternate shell commands to events in Linux audit logs.

Reference

• Improving Bash Forensics Capabilities
• Save bash history in syslog on CentOS

• Set PROMPT_COMMAND to call history -a and lock it with typeset -r PROMPT_COMMAND

Thanks for this gist 🎉, if you allow me to do a suggestion, here is it: typeset is supplied for compatibility with the Korn shell, so better use declare

@eevmanu, thanks appreciate the tip. Updated the gist accordingly.

typeset is supplied for compatibility with the Korn shell, so better use declare