Linux – Disable the ability to hide Bash command history
bashhistorylinuxshell
A user can hide the command history in Bash by either
append a space before the command
unset HISTFILE
How can I disable this?
Best Answer
There are a couple of things that you can do but ultimately for a sufficiently sophisticated user they can easily be bypassed.
You can set the relevant history control variables (HISTFILE,HISTFILESIZE,HISTSIZE,HISTCONTROL,HISTIGNORE) to values that you want and make them readonly. Do this in a convenient system wide initialisation file that users cannot edit. So for example you could set
This though doesn't stop the user from editing the $HISTFILE and removing commands from it or deleting the file and then linking it to /dev/null so that commands are again hidden.
You can solve this by making the $HISTFILE append only with chattr
chattr +a /home/alice/.bash_history
Now the .bash_history can't be changed, only added to (don't forget to put some sort of pruning in place). We can see everything the user does ... nope,
It is easy for the user to bypass these restrictions
They can run another shell (there are several available). Sure you can stop them from executing these but that can cause unexpected problems elsewhere too.
They can run bash --norc --noprofile which bypasses all of the initialization scripts, they can then trivially source a script containing the settings/initialisation they want. You'll be able to see they did this but not what they subsequently did.
If you want to be able to log a users activity in a manner that they cannot circumvent then you need to use auditing not history.
and i just remembered another answer, this one is the actual answer to your question.
if you have "ignorespace" in HISTCONTROL, then bash wont remember any line beginning with a space character. it won't appear even in the current shell's history, let alone be saved to $HISTFILE.
e.g. I have export HISTCONTROL='ignoreboth:erasedups' in my ~/.bashrc
here's the details from the bash man page:
HISTCONTROL
A colon-separated list of values controlling how commands are
saved on the history list. If the list of values includes
ignorespace, lines which begin with a space character are not
saved in the history list. A value of ignoredups causes lines
matching the previous history entry to not be saved. A value of
ignoreboth is shorthand for ignorespace and ignoredups. A value
of erasedups causes all previous lines matching the current line
to be removed from the history list before that line is saved.
Any value not in the above list is ignored. If HISTCONTROL is
unset, or does not include a valid value, all lines read by the
shell parser are saved on the history list, subject to the value
of HISTIGNORE. The second and subsequent lines of a multi- line
compound command are not tested, and are added to the history
regardless of the value of HISTCONTROL.
Best Answer
There are a couple of things that you can do but ultimately for a sufficiently sophisticated user they can easily be bypassed.
You can set the relevant history control variables (HISTFILE,HISTFILESIZE,HISTSIZE,HISTCONTROL,HISTIGNORE) to values that you want and make them readonly. Do this in a convenient system wide initialisation file that users cannot edit. So for example you could set
or
This though doesn't stop the user from editing the $HISTFILE and removing commands from it or deleting the file and then linking it to /dev/null so that commands are again hidden.
You can solve this by making the $HISTFILE append only with chattr
Now the .bash_history can't be changed, only added to (don't forget to put some sort of pruning in place). We can see everything the user does ... nope,
It is easy for the user to bypass these restrictions
bash --norc --noprofile
which bypasses all of the initialization scripts, they can then trivially source a script containing the settings/initialisation they want. You'll be able to see they did this but not what they subsequently did.If you want to be able to log a users activity in a manner that they cannot circumvent then you need to use auditing not history.