A new series with a goal on sharing quick wins that can assist organizational security, forensic investigations, incident response and more that you can implement within two minutes or less.
Today’s post is focused on a a feature of nearly any shell — command history. This file is a rich source of evidence for prior user activity, especially on Linux/Unix/macOS systems. One major draw back is that by default, this file does not store timestamps, making analysis of the data difficult and cost a lot of valuable investigative time.
In this post we will cover how to quickly implement timestamps in some common shells including:
Not all Linux/Unix/macOS platforms are made the same! These are general ways to accomplish this goal, but always test before putting things into production.
To add for user accounts, modify the
~/.bash_profile files and add the below:
export HISTTIMEFORMAT ="%F %T %z "
This same line can be placed in /etc/bashrc to load across user profiles.
For user accounts, add the below line to
/etc/zshrc for system wide implementation.
This will not only place a timestamp of execution but also the duration of execution — a very handy data point in investigations! Some Z shells, such as csh, though it doesn’t hurt to check!
Enabled by default! Though check your history file is located at:
Have another shell you use and prefer? Or maybe an alternative implementation on a specific OS? Comment and we can add it in to this post for ease of future reference!