1

A user can hide the command history in Bash by either

  1. append a space before the command
  2. unset HISTFILE

How can I disable this?

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Ryan
  • 5,831
  • 24
  • 72
  • 91
  • 3
    What are you actually trying t achieve ? – user9517 May 29 '14 at 07:24
  • @lain, "Disable the ability to hide bash command history" – Ryan May 29 '14 at 08:41
  • 1
    What are you trying to achieve by doing this? It seems like you are in an [xy](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) situation. – user9517 May 29 '14 at 09:02
  • 1
    Just repeating yourself when asked for clarification is not helpful. Can you explain what you are trying to accomplish? – Michael Hampton May 29 '14 at 15:08
  • 1
    Users might have a good reason to want to hide certain commands from their history. Some commands even require you to enter your password as a parameter. – RobinJ May 29 '14 at 18:50

1 Answers1

3

There are a couple of things that you can do but ultimately for a sufficiently sophisticated user they can easily be bypassed.

You can set the relevant history control variables (HISTFILE,HISTFILESIZE,HISTSIZE,HISTCONTROL,HISTIGNORE) to values that you want and make them readonly. Do this in a convenient system wide initialisation file that users cannot edit. So for example you could set 

readonly HISTFILE=~/.bash_history
readonly unset HISTCONTROL

or 

readonly HISTCONTROL=ignoredupes

This though doesn't stop the user from editing the $HISTFILE and removing commands from it or deleting the file and then linking it to /dev/null so that commands are again hidden.

You can solve this by making the $HISTFILE append only with chattr

chattr +a /home/alice/.bash_history

Now the .bash_history can't be changed, only added to (don't forget to put some sort of pruning in place). We can see everything the user does ... nope,

It is easy for the user to bypass these restrictions

  • They can run another shell (there are several available). Sure you can stop them from executing these but that can cause unexpected problems elsewhere too.
  • They can run bash --norc --noprofile which bypasses all of the initialization scripts, they can then trivially source a script containing the settings/initialisation they want. You'll be able to see they did this but not what they subsequently did.

If you want to be able to log a users activity in a manner that they cannot circumvent then you need to use auditing not history.

Community
  • 1
user9517
  • 115,471
  • 20
  • 215
  • 297