| SHARE: |
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - DISABLING BASH_HISTORY AND/OR LOGGING ALL USER'S CMDS - █▌
█▌ █▌
█ ▐▌
█ Once you have logged out of your shell by default bash will store the last ▐▌
█ 500 previous cmds (commands), and/or 500 lines, you executed to your ▐▌
█ .bash_history file for easy recall on future sessions (Ctrl+R or ! or !!). ▐▌
█ Even passwords that were entered as plain text, such as: ▐▌
█ mysqladmin -u root password 'new-password' ▐▌
█ If you take a look at hack logs, many have "cat .bash_history". HERE is a ▐▌
█ an infamous example, search for: cat .bash_history ▐▌
█ ▐▌
█ I've listed a number of different methods to disable it, limit it, or stop ▐▌
█ users from altering their own .bash_history for auditing needs. Depending ▐▌
█ on your own needs select a method/s. ▐▌
█ ▐▌
█ QUICK METHOD: ▐▌
█ TO VIEW YOUR .BASH_HISTORY: ▐▌
█ SOME COMMON BASH VARIABLES: ▐▌
█ VARIABLE NOTES: ▐▌
█ DISABLE .BASH_HISTORY - INCLUDING CURRENT SESSION'S KEYSTROKES: ▐▌
█ DISABLE .BASH_HISTORY - WHILE RETAINING CURRENT SESSION'S KEYSTROKE: ▐▌
█ TEMPORARILY DISABLE YOUR .BASH_HISTORY: ▐▌
█ LIMIT (not disable) .BASH_HISTORY FOR ALL USERS: ▐▌
█ PREVENT USERS MODIFYING THEIR .BASH_HISTORY: ▐▌
█ ▐▌
█ QUICK METHOD: ▐▌
█ ````````````` ▐▌
█ Quick method to completely disable your own .bash_history, without reading ▐▌
█ any further: ▐▌
█ Remove the file: ▐▌
█ rm ~/.bash_history -rf ▐▌
█ Clear your current history stored in RAM: ▐▌
█ history -c ▐▌
█ Change your settings: ▐▌
█ export HISTFILESIZE=0 ▐▌
█ export HISTSIZE=0 ▐▌
█ unset HISTFILE ▐▌
█ Logout, login, done. ▐▌
█ ▐▌
█ Or even faster method to send .bash_history to a black hole: ▐▌
█ rm ~/.bash_history ▐▌
█ ln /dev/null ~/.bash_history -sf ▐▌
█ Logout, login, done. ▐▌
█ ▐▌
█ TO VIEW YOUR .BASH_HISTORY: ▐▌
█ ``````````````````````````` ▐▌
█ history ▐▌
█ or ▐▌
█ ls -al .bash_history ▐▌
█ cat ~/.bash_history ▐▌
█ The number of cmds that history will show (cmd number on left column) ▐▌
█ might be larger than the default 500 as it includes your current session's ▐▌
█ cmds and what is in .bash_history. ▐▌
█ To view your top 10 bash cmds in your present history: ▐▌
█ history | awk '{print $2}' | awk 'BEGIN {FS="|"}{print $1}' | sort | uniq -c | sort -n | tail | sort -nr
█ You can re-execute any cmd on the list by entering the item number ▐▌
█ preceded with ! ▐▌
█ For example if on the list is the cmd above as 502, to re-execute it: ▐▌
█ !502 ▐▌
█ Or to re-execute the previous cmd: ▐▌
█ !! ▐▌
█ ▐▌
█ SOME COMMON BASH VARIABLES: ▐▌
█ ``````````````````````````` ▐▌
█ Can skip this section; not needed to read/do: ▐▌
█ Here is a list of some of the variables, with a brief description. Don't ▐▌
█ worry if these don't make sense now, you'll see how to use them below. ▐▌
█ Bash man page is HERE or in your shell prompt: man bash ▐▌
█ ▐▌
█ HISTFILE ▐▌
█ Set the name/path of bash history. Default is ~/.bash_history. If ▐▌
█ 'unset' bash history is not saved after exiting. ▐▌
█ HISTFILESIZE ▐▌
█ Set the maximum number of lines to be saved in .bash_history ▐▌
█ HISTSIZE ▐▌
█ Set the number of commands to remember/store in .bash_history ▐▌
█ HISTTIMEFORMAT ▐▌
█ Time stamp the commands. Example: export HISTTIMEFORMAT='%Y-%m-%d %H:%M' ▐▌
█ HISTCONTROL ▐▌
█ Here you can have a colon separated list of 'values' controlling what is ▐▌
█ stored in .bash_history. Here are a few of them: ▐▌
█ ignorespace - cmds that begin with a space will not be saved. ▐▌
█ ignoredups - cmds matching previous entries will not be saved. ▐▌
█ ignoreboth - ignoredups and ignorespace combined. ▐▌
█ erasedups - erases previous duplicate cmds in history before the new cmd ▐▌
█ is saved. I prefer using this line over ignoredups with HISTTIMEFORMAT ▐▌
█ as the latest occurance of the cmd is saved. ▐▌
█ Here is an example using the above: ▐▌
█ export HISTCONTROL=ignorespace:erasedups ▐▌
█ HISTIGNORE ▐▌
█ Here you can have a colon separated list of 'patterns' controlling what ▐▌
█ is stored in .bash_history. ▐▌
█ "[ ]*" - cmds that begin with a space will not be saved. ▐▌
█ "&" - cmds matching previous entries will not be saved. ▐▌
█ Here is an example that will ignore duplicate cmds, cmds that begin with ▐▌
█ a space, and the exit cmd: ▐▌
█ export HISTIGNORE='&:[ ]*:exit' ▐▌
█ PROMPT_COMMAND ▐▌
█ To execute a set command prior to each of your primary commands. For ▐▌
█ example if open multiple shell sessions and do not want each one ▐▌
█ overwriting your .bash_history on exit you could do this: ▐▌
█ export PROMPT_COMMAND=history -a; history -n ▐▌
█ Or to save, append and reload history after each cmd executes: ▐▌
█ export PROMPT_COMMAND='history -a; history -r; $PROMPT_COMMAND' ▐▌
█ shopt -s histappend ▐▌
█ TMOUT ▐▌
█ The number of seconds until the shell session automatically terminates ▐▌
█ if it doesn't receive input. A 0 value means the shell will not ▐▌
█ automatically terminate. ▐▌
█ ▐▌
█ VARIABLE NOTES: ▐▌
█ ``````````````` ▐▌
█ 1) To activate the changes to a user's variables, the user will need to ▐▌
█ logout then back in (or open a new session or run the altered file). ▐▌
█ ▐▌
█ 2) To list your own environment variables: ▐▌
█ env ▐▌
█ ▐▌
█ If for example you have previously entered the cmd: ▐▌
█ export HISTCONTROL=ignorespace ▐▌
█ You'll see 'HISTCONTROL=ignorespace' in the output of env. ▐▌
█ ▐▌
█ To view a specific variable, precede that variable with: echo $ ▐▌
█ If there is no reply, it hasn't been manually set, and is at the default. ▐▌
█ For example: ▐▌
█ echo $HISTFILESIZE ▐▌
█ echo $HISTSIZE ▐▌
█ echo $TMOUT ▐▌
█ ▐▌
█ 3) To remove a variable that you have set use 'unset'. ▐▌
█ For example if you have done: ▐▌
█ export HISTSIZE=500 ▐▌
█ then remove that with: ▐▌
█ unset HISTSIZE ▐▌
█ ▐▌
█ 4) Keep in mind that if you change a user's bash environment variable, ▐▌
█ they can change it back if the correct permissions are not set. I'll go ▐▌
█ over that in the section 'PREVENT USERS MODIFYING THEIR .BASH_HISTORY'. ▐▌
█ ▐▌
█ 5) You might need to replace the double quotes " with single quotes ' in ▐▌
█ the variables below if you receive an error. ▐▌
█ ▐▌
█ ▐▌
█ DISABLE .BASH_HISTORY - INCLUDING CURRENT SESSION'S KEYSTROKES: ▐▌
█ ``````````````````````````````````````````````````````````````` ▐▌
█ With this method you will not be able to recall previous cmds (Ctrl+r). ▐▌
█ ▐▌
█ FOR YOURSELF: ▐▌
█ Clear your current history: ▐▌
█ history -c ▐▌
█ Remove the file: ▐▌
█ rm ~/.bash_history -rf ▐▌
█ Change your settings: ▐▌
█ export HISTFILESIZE=0 ▐▌
█ export HISTSIZE=0 ▐▌
█ unset HISTFILE ▐▌
█ ▐▌
█ (or you could add those settings to your ~/.bash_profile) ▐▌
█ ▐▌
█ FOR A SPECIFIED USER (replace 'user' with user's name): ▐▌
█ su ▐▌
█ Clear their history: ▐▌
█ history -c /home/user/.bash_history ▐▌
█ Remove the file: ▐▌
█ rm /home/user/.bash_history -rf ▐▌
█ Change their settings: ▐▌
█ echo "export HISTFILESIZE=0" >> /home/user/.bash_profile ▐▌
█ echo "export HISTSIZE=0" >> /home/user/.bash_profile ▐▌
█ echo "unset HISTFILE" >> /home/user/.bash_profile ▐▌
█ ▐▌
█ FOR ALL USERS: ▐▌
█ su ▐▌
█ pico /etc/profile ▐▌
█ Add these lines at the end of the file: ▐▌
█ export HISTFILESIZE=0 ▐▌
█ export HISTSIZE=0 ▐▌
█ unset HISTFILE ▐▌
█ ln /dev/null ~/.bash_history -sf ▐▌
█ ▐▌
█ You'll need to remove all users .bash_history files. Find them first to be ▐▌
█ sure these are the files you want to remove: ▐▌
█ find /home -type f -name .bash_history ▐▌
█ ▐▌
█ If your output above is correct, then to remove all of those files: ▐▌
█ find /home -type f -name .bash_history \ ▐▌
█ -exec rm -f {} \; ▐▌
█ ▐▌
█ Or: ▐▌
█ pico /etc/bash.bashrc ▐▌
█ Add these lines at the end: ▐▌
█ export HISTFILE= ▐▌
█ ln /dev/null ~/.bash_history -sf ▐▌
█ ▐▌
█ Or you could add these lines instead: ▐▌
█ export HISTSIZE=0 ▐▌
█ ln /dev/null ~/.bash_history -sf ▐▌
█ ▐▌
█ Or you could: ▐▌
█ echo "unset HISTFILE" >> /etc/profile ▐▌
█ ▐▌
█ As you can see there are a number of methods that can be applied to all ▐▌
█ users including root. ▐▌
█ ▐▌
█ FOR ROOT: ▐▌
█ su ▐▌
█ Clear root history: ▐▌
█ history -c /root/.bash_history ▐▌
█ Or: ▐▌
█ cat /dev/null > /root/.bash_history ▐▌
█ Send bash history to a black hole: ▐▌
█ ln /dev/null /root/.bash_history -sf ▐▌
█ rm /root/.bash_history -f ▐▌
█ ▐▌
█ Or you can add the settings: ▐▌
█ pico /root/.bash_profile ▐▌
█ If that file doesn't exist then: ▐▌
█ pico /root/.bashrc ▐▌
█ or ▐▌
█ pico /root/.profile ▐▌
█ Paste these lines at the bottom: ▐▌
█ export HISTFILESIZE=0 ▐▌
█ export HISTSIZE=0 ▐▌
█ unset HISTFILE ▐▌
█ ▐▌
█ If you choose to do this for root you should consider a logging program ▐▌
█ to monitor root actions and if possible have the logs sent live to another ▐▌
█ server. ▐▌
█ ▐▌
█ DISABLE .BASH_HISTORY - WHILE RETAINING CURRENT SESSION'S KEYSTROKE: ▐▌
█ ```````````````````````````````````````````````````````````````````` ▐▌
█ To be able to recall the current session's recent cmds (Ctrl+r) for ▐▌
█ example to 30 lines, in all the statements above for 'export HISTSIZE=0' ▐▌
█ change to: ▐▌
█ export HISTSIZE=30 ▐▌
█ ▐▌
█ Or you could: ▐▌
█ export HISTFILE=/dev/null ▐▌
█ ▐▌
█ Or you could: ▐▌
█ pico ~/.bashrc ▐▌
█ Add this line: ▐▌
█ HISTFILE=/dev/null ▐▌
█ ▐▌
█ TEMPORARILY DISABLE YOUR .BASH_HISTORY: ▐▌
█ ``````````````````````````````````````` ▐▌
█ If you want to temporarily disable the logging of your commands, first: ▐▌
█ unset HISTFILE ▐▌
█ Or you could: ▐▌
█ export HISTFILE=/dev/null ▐▌
█ Run your cmds, then reset it: ▐▌
█ export HISTFILE=~/.bash_history ▐▌
█ Or if you didn't care to save the .previous .bash_history and kill ▐▌
█ everything without a wait, after you are finished (not recommended) log ▐▌
█ out with this cmd: ▐▌
█ rm ~/.bash_history -f && kill -9 $$ ▐▌
█ ▐▌
█ LIMIT (not disable) .BASH_HISTORY FOR ALL USERS: ▐▌
█ ```````````````````````````````````````````````` ▐▌
█ pico /etc/profile ▐▌
█ Add these lines at the end, or adjust if already there to limit users to ▐▌
█ 20 previous cmds: ▐▌
█ HISTFILESIZE=30 ▐▌
█ HISTSIZE=30 ▐▌
█ ▐▌
█ PREVENT USERS MODIFYING THEIR .BASH_HISTORY: ▐▌
█ ```````````````````````````````````````````` ▐▌
█ Keep in mind that the methods below for bash are not impossible to bypass, ▐▌
█ as clever users can find ways around this such as few methods that I have ▐▌
█ read about and listed below. ▐▌
█ ▐▌
█ 1) To not allow users (or even root) to modify, move, or delete their ▐▌
█ .bash_history you need to set an attribute to append only (replace user ▐▌
█ with the user's name): ▐▌
█ su ▐▌
█ chattr +a /home/user/.bash_history ▐▌
█ FreeBSD it would be: sappnd /home/user/.bash_history ▐▌
█ ▐▌
█ You should also set append only to all the other bash configuration files. ▐▌
█ When users logs in, bash reads first from /etc/profile, then the first ▐▌
█ three in this order: ▐▌
█ chattr +a /home/user/.bash_profile ▐▌
█ chattr +a /home/user/.bash_login ▐▌
█ chattr +a /home/user/.profile ▐▌
█ chattr +a /home/user/.bashrc ▐▌
█ chattr +a /home/user/.bash_logout ▐▌
█ ▐▌
█ .bashrc is read when ▐▌
█ A. another interactive shell is started, for example by entering: bash and ▐▌
█ B. When it is referred to from the other .bash files containing .bashrc in ▐▌
█ their body - so that means in every case. ▐▌
█ ▐▌
█ Here is an example to change the perms to +a on all the files listed ▐▌
█ above, in all the users /home directory, in mass: ▐▌
█ You might want to search files first to know you have all/only the correct ▐▌
█ files: ▐▌
█ find /home -type f -name .bash\* ▐▌
█ find /home -type f -name .profile ▐▌
█ ▐▌
█ Then to change to the perms: ▐▌
█ find /home -type f -name .bash\* \ ▐▌
█ -exec chattr +a {} \; ▐▌
█ find /home -type f -name .profile \ ▐▌
█ -exec chattr +a {} \; ▐▌
█ ▐▌
█ Even for root to edit files that are set to chattr +a that attribute must ▐▌
█ be removed first. ▐▌
█ To view chattr attributes on the file: ▐▌
█ lsattr .bash_history ▐▌
█ Output would be: -----a------------- ▐▌
█ To remove an 'a' attribute: ▐▌
█ chattr -a .bash_history ▐▌
█ Or if lsattr replied with an 'i' then -i. The i attribute is immutable- no ▐▌
█ append ability. ▐▌
█ To know more about chattr view HERE, or man chattr ▐▌
█ ▐▌
█ 2) Then you need to set the variables so that each cmd a user executes is ▐▌
█ logged immediately, and variables are set to read only so that users can't ▐▌
█ change them such as the size, location, and log all cmds. To do this: ▐▌
█ pico /etc/profile ▐▌
█ Add the following lines to the bottom of the file: ▐▌
if [ "$BASH" ]; then
PROMPT_COMMAND="history -a;$PROMPT_COMMAND";
readonly PROMPT_COMMAND
readonly HISTSIZE
readonly HISTFILE
readonly HISTFILESIZE
readonly HISTCMD
readonly HOME
readonly HISTIGNORE
readonly HISTCONTROL
fi
█ ▐▌
█ 3) Disable access to other shells programs on the system so the users must ▐▌
█ use bash. Some of the more common ones are csh, tcsh and ksh. ▐▌
█ To find location of program; which [program], for example: ▐▌
█ which csh ▐▌
█ which tcsh ▐▌
█ ▐▌
█ chmod 750 /bin/csh ▐▌
█ chmod 750 /usr/bin/tcsh ▐▌
█ ▐▌
█ On standard Debian install there is csh (/bin/csh) and tcsh ▐▌
█ (/usr/bin/tcsh). Find out what other shells are installed on your own ▐▌
█ system. ▐▌
█ ▐▌
█ 4) Doing this tho will still not prevent a way out of the above settings ▐▌
█ for bash. ▐▌
█ Here are a few examples a user could type in to bypass the steps above: ▐▌
█ Bash will mimic sh, not using the configurations files related to bash: ▐▌
█ /bin/sh ▐▌
█ Or if it exist: ▐▌
█ /bin/rbash ▐▌
█ Then user is able to bypass logging for current session by: ▐▌
█ unset HISTFILE ▐▌
█ ▐▌
█ Or a user can launch bash with variables to not read the .bashrc file: ▐▌
█ /bin/bash --norc ▐▌
█ HISTFILE= ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 20 Jul '10 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██