DEV Community


Two-minute InfoSec — Shell History Timestamps

chapindb profile image Chapin Bryce Originally published at Medium on ・2 min read

Two-minute InfoSec — Shell History Timestamps

A new series with a goal on sharing quick wins that can assist organizational security, forensic investigations, incident response and more that you can implement within two minutes or less.

Photo by Kaitlyn Baker on Unsplash

Today’s post is focused on a a feature of nearly any shell — command history. This file is a rich source of evidence for prior user activity, especially on Linux/Unix/macOS systems. One major draw back is that by default, this file does not store timestamps, making analysis of the data difficult and cost a lot of valuable investigative time.

In this post we will cover how to quickly implement timestamps in some common shells including:

  • Bash
  • Zsh
  • Fish

Not all Linux/Unix/macOS platforms are made the same! These are general ways to accomplish this goal, but always test before putting things into production.


To add for user accounts, modify the ~/.bashrc or ~/.bash_profile files and add the below:

export HISTTIMEFORMAT ="%F %T %z "

This same line can be placed in /etc/bashrc to load across user profiles.



For user accounts, add the below line to ~/.zshrc or /etc/zshrc for system wide implementation.


This will not only place a timestamp of execution but also the duration of execution — a very handy data point in investigations! Some Z shells, such as csh, though it doesn’t hurt to check!



Enabled by default! Though check your history file is located at:


Have another shell you use and prefer? Or maybe an alternative implementation on a specific OS? Comment and we can add it in to this post for ease of future reference!

Discussion (0)

Editor guide