Search:  
Gentoo Wiki

SECURITY_Adjusting_The_Way_Bash_History_Funtions

This article is part of the Security series.

Contents

Abstract

In this document, a few methods will be listed to help increase security as it relates to the bash history file. The examples range from disabling history altogether to limiting the size of the history or what commands are recorded in history.

Using a bash history located on a tmpfs or ramfs mount should be safe (aside from being able to read memory). It won't be written to disk and avoids the problem of permanency of sensitive data.

About .bash_history

The file .bash_history is used by the Bourne Again SHell (Bash) to store a history of commands typed by a specific user. It normally resides in the user's home directory. If it is enabled, previous commands can be cycled usually by hitting the up arrow, using some commands like !; !num; !!; !string, or by using the history command history. Changing the way history functions is done by exporting various environment variables. Bash saves the history file when it exits.

See the bash manpage and history manpage for more information. Controling bash history

Why Disable This File?

For security purposes, you should not use a .bash_history file or limit what is recorded into it, because secrets such as passwords, keys, or other sensitive data could possibly be written to the disk. Once something is written to the disk, it is theoretically always going to be recoverable -- even after deleting the file, writing over the saved data an arbitrary number of times, and physically damaging the platters. The only known way to completely destroy data is to obliterate the platters themselves, ie: melt 'em down. The underlying reason is slightly complex and I won't go into it here (I have an awesome whitepaper on this but I can not find it at the moment). So, if you need to keep your data secure and security is critical or you just want to thwart snooping of your data in the case it is physically stolen then practices like this and lots of good harddrive encryption is your key. On another note, under most circumstances it is probably still safe (and useful) to keep history available in your ram memory. Of course, disabling .bash_history means that when you logout or close the terminal session history will be lost.

Steps

In all the following scenarios you will need to be root. These are some examples; feel free to mix and match.

Completely Disabling History For All Users (Unrecommended)

This will completely disable bash history for all users and keystroke history and recall will not be available.

Add the following line to your /etc/profile:

File: /etc/profile
export HISTFILESIZE=1
export HISTSIZE=4
unset HISTFILE

Finally, for an added measure of protection link .bash_history to /dev/null in each users directory including root:

File: /etc/profile
# ln -s /dev/null ~/.bash_history

This is well and good, but if you are really supposed to be being ultra secure, then you need to reevaluate your security plan and, um, probably replace some disks tainted with secrets!

Disabling Bash History For ALL Users (Recommended)

This will disable Bash history for all users, but retain keystroke history and recall to use while limiting recall history to 100 lines.

Add the following line to your /etc/profile:

File: /etc/profile
export HISTFILESIZE=4
unset HISTFILE

# Change this to a reasonable number of lines to save, I like to save only 100.
export HISTSIZE=100

Disabling Bash History Per User

This will disable Bash history on a per user basis, retaining keystroke history and recall to use while limiting recall history to 100 lines. This will also not record duplicate lines next to each other.

Add the following line to the users .bash_profile in their home directory:

File: .bash_profile
export HISTFILESIZE=4
unset HISTFILE

# Change this to a reasonable number of lines to save, I like to save only 100.
export HISTSIZE=1

# Ignores duplicate lines next to each other
export HISTCONTROL=ignoredups

Limiting Bash History But Not Disabling

This will disable Bash history on a per user basis, retaining keystroke history and recall to use while limiting recall history to 100 lines. This will also not record duplicate lines next to each other and not record lines with a leading space. This is useful because you can choose which lines you wish not to record to history. You should also read about HISTIGNORE in bash's manpage which can ignore certain patterns such as ignoring the su command.


Add the following line to the users .bash_profile in their home directory:

File: .bash_profile

# Maximum numbers of lines that can be written to the file
export HISTFILESIZE=100

# You can set this to any filename you would like, including /dev/null :) if you can write to the file.
#export HISTFILE=~/.bash_history

# Change this to a reasonable number of lines to save
export HISTSIZE=1

# Ignores duplicate lines next to each other and ignores a line with a leading space. (ignoredups and ignorespace combined)
export HISTCONTROL=ignoreboth

Finishing Up

To activate these settings after you are finished, you will either need to open a new terminal, logout, or source the proper file. It is best to just logout and back in. Remember if you have disabled .bash_history to delete it in each users home directory and roots when you are all finished.

Retrieved from "http://www.gentoo-wiki.info/SECURITY_Bash_History_Functions"

Last modified: Mon, 04 Aug 2008 08:58:00 +0000 Hits: 35,702