Improving Bash Forensics Capabilities
Bash is the default user shell in most Linux distributions. In case of incidents affecting a UNIX server, they are chances that a Bash shell will be involved. Bash keeps an history to help the user to search (and reuse) his last commands:
$ history | tail -5 1993 pwd 1994 whoami 1995 cd 1996 cd /tmp 1997 history | tail -5 $ !1996 cd /tmp $ ^tmp^opt cd /opt $
$ export HISTTIMEFORMAT="%d/%m/%y %T " $ history | tail -5 1997 27/03/16 10:58:22 history | tail -5 1998 27/03/16 10:58:33 cd /tmp 1999 27/03/16 10:58:42 cd /opt 2000 27/03/16 11:00:26 export HISTTIMEFORMAT="%d/%m/%y %T " 2001 27/03/16 11:00:29 history | tail -5 $
$ vi config-top.h #define SYSLOG_HISTORY #if defined (SYSLOG_HISTORY) # define SYSLOG_FACILITY LOG_USER # define SYSLOG_LEVEL LOG_INFO #endif ./configure make install
HISTFILE |
The name of the file to which the command history is saved. The default value is ~/.bash_history.
|
HISTFILESIZE | The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is truncated, if necessary, to contain no more than that number of lines by removing the oldest entries. The history file is also truncated to this size after writing it when a shell exits. If the value is 0, the history file is truncated to zero size. Non-numeric values and numeric values less than zero inhibit truncation. The shell sets the default value to the value of HISTSIZE after reading any startup files. |
HISTIGNORE |
A colon-separated list of patterns used to decide which command lines should be saved on the history list. Each pattern is anchored at the beginning of the line and must match the complete line (no implicit ‘*’ is appended). Each pattern is tested against the line after the checks specified by
|
HISTCONTROL |
A colon-separated list of values controlling how commands are saved on the history list. If the list of values includes ignorespace, lines which begin with a space character are not saved in the history list. A value of ignoredups causes lines matching the previous history entry to not be saved. A value of ignoreboth is shorthand for ignorespace and ignoredups. A value of erasedups causes all previous lines matching the current line to be removed from the history list before that line is saved.
|
HISTSIZE |
The maximum number of commands to remember on the history list. If the value is 0, commands are not saved in the history list. Numeric values less than zero result in every command being saved on the history list (there is no limit). The shell sets the default value to 500 after reading any startup files.
|
HISTTIMEFORMAT (already discussed) |
If this variable is set and not null, its value is used as a format string for strftime to print the time stamp associated with each history entry displayed by the history builtin. If this variable is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish timestamps from other history lines. |
You can also affect the way logging is performed with the “shopt” command. The following command will force Bash to append the current history to the history file instead of overwriting the current one:
$ shopt -s histappend
$ shopt -s cmdhist
$ shopt -s lithist
$ tail -10 .bash_history #1458933529 history|less #1458933544 vi .bash_history #1458933792 wc -l .bash_history #1458976122 more .bash_history #1458976132 echo foobar
You can add the environment variable in /etc/bash.bashrc or, per user, in $HOME/.bashrc. Note that these environment variables do not prevent a malicious user to disable the Bash history! Just spawn another shell (zsh, ksh) and you will escape the logging features. If you really want to track what users are doing, have a look at psacct which runs in the background to track users activity (not only from Bash).
Happy Easter break!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Comments