Two-minute InfoSec — Shell History Timestamps
A new series with a goal on sharing quick wins that can assist organizational security, forensic investigations, incident response and more that you can implement within two minutes or less.
Today’s post is focused on a a feature of nearly any shell — command history. This file is a rich source of evidence for prior user activity, especially on Linux/Unix/macOS systems. One major draw back is that by default, this file does not store timestamps, making analysis of the data difficult and cost a lot of valuable investigative time.
In this post we will cover how to quickly implement timestamps in some common shells including:
- Bash
- Zsh
- Fish
Not all Linux/Unix/macOS platforms are made the same! These are general ways to accomplish this goal, but always test before putting things into production.
Bash
To add for user accounts, modify the ~/.bashrc
or ~/.bash_profile
files and add the below:
export HISTTIMEFORMAT ="%F %T %z "
This same line can be placed in /etc/bashrc to load across user profiles.
Source: https://linux.die.net/man/1/bash
Zsh
For user accounts, add the below line to ~/.zshrc
or /etc/zshrc
for system wide implementation.
setopts EXTENDED_HISTORY
This will not only place a timestamp of execution but also the duration of execution — a very handy data point in investigations! Some Z shells, such as csh, though it doesn’t hurt to check!
Source: http://zsh.sourceforge.net/Doc/Release/Options.html#Options
Fish
Enabled by default! Though check your history file is located at:
~/.local/share/fish/fish_history
Have another shell you use and prefer? Or maybe an alternative implementation on a specific OS? Comment and we can add it in to this post for ease of future reference!
Top comments (0)