Enhance and secure your Bash shells
Information Is Power
The knockout shell that is Bash can also quietly assist by providing a little extra security for your servers. I would probably to call it user auditing or accounting (logging, essentially) rather than security, but I hope you'll find it useful.
It's easy to lose track of when you last logged into a system, or indeed, when other users have. Thankfully, Bash offers a useful way of improving user auditing. You can log when users logged in (and from which IP address), as well as what commands they ran.
What if you want to look for users who log in to a server and then elevated their privileges to a more powerful user that isn't the superuser? (The system might already have a means for tracking superuser access through messages written to /var/log/messages
, /var/log/auth.log
, /var/log/syslog
or other files.) The ever-friendly Bash allows you to insert a simple command to enhance your auditing of all users.
In conjunction with the last | less
command, it's perfectly possible to trace back who has been logging in to your system when and which commands were run. Or, maybe you spent a morning trying to get something working and found that you had indeed fixed it at a certain time from timestamp information held in another log file, and decided that you want to cross-reference the two files?
Enter the history
command in Bash, which lists the history of past Bash commands. history
is hardly a well-kept secret, but many users aren't aware that you can add timestamp information to the history
command. Add the following line to your hungry .bashrc
file:
export HISTTIMEFORMAT="%h/%d - %H:%M:%S "
Next, you could simply reload or refresh your shell with the command mentioned earlier from within your home directory:
# . .bashrc
Now if you type history
, you'll see an output of times and dates, something like the following:
Don't be alarmed if you see some initial timestamps that are all the same (they'll show today's date and time), because the timestamp information for previous commands isn't retrospectively stored when you restart Bash. Try entering a few new commands to see if the command is working.
Displaying the time along with the command will make it much easier to look up when a command that caused a particular server symptom happened so you can correlate the event with later symptoms that turn up in other logs.
The shopping list format history
displays is actually written to the .bash_history
file in the good old Unix epoch timestamp format (1608004274
as I write) and then automagically converted into human-readable format by the history
command.
Less Is More
When running the last
and history
commands, I usually prefer to pipe the output into less
so I can easily move from the top to the bottom of the output and also search proficiently. The less
command displays the output one page at a time. You can quit with a lowercase q
(the entered commands sit bottom left), or search with a question mark followed by a search term.
You can also move to the top or the bottom of text by using the angular brackets <
and >
, respectively.
The last
command has been around for several years, and it also provides a number of other details separate to just timestamps, such as the originating IP address of the login, the type of terminal, and whether the user is still logged in.
Those eagle-eyed among us might also spot the fact that the last
command offers some interesting uptime information – it can tell you when the last reboot or shutdown was. From what I remember, different versions, possibly on differing operating systems, provide slightly different outputs, so your mileage may vary.
In addition to the highly efficacious HISTORY
timestamp config option (which you can configure to provide a number of different options), you'll find a few other useful enhancements within Bash that you might not have stumbled across on your travels.
For example, you can set the size of the .bash_history
file:
export HISTSIZE=1000 export HISTFILESIZE=1000
Also, you might have noticed that the output of the history
command includes a number to the left of each command. If you run the history
command and take note of the number for a command you wish to repeat, you can re-run that command by prepending an exclamation mark, such as:
# !321
Although this trick is undoubtedly useful, especially for long commands, be warned that it's very easy to get the numbers wrong, and running the wrong command, especially as root
, can sometimes be devastating.
Serious Stuff
Now a slightly more serious note. This note might apply more to sys admins looking after very busy servers with thousands of login users, or possibly those looking after servers in what might be considered a relatively hostile environment, such as shared public hosting.
The Bash history
command is quite useful, but clearly it is far from ideal that a user can delete or alter the .bash_history
file after trying to compromise a local/remote server or partake in some other illegal activity.
Veterans describe a simple fix, which ostensibly looks pretty solid, but admittedly, I haven't put it through its paces on many production servers so use this with care. The fix is the chattr
command. On my Debian server, chatrr
is described as being used to "change file attributes on a Linux file system."
You can use the mighty chattr
command to change the attributes to only allow the user to append to the .bash_history
file, as opposed to deleting or editing it.
You need to elevate your privileges to root
, and rather than globally adding this command to every user's .bash_history
files, you might want to test it on one user first with something like:
# chattr +a ~chrisbinnie/.bash_history
If you're feeling brave, this command might save you time – again, use it with care especially as root
; it changes every user's .bash_history
file attributes:
# find / -maxdepth 5 | grep -i .bash_history | \ while read user; do chattr +a "$user"; done
For safety, you can always print which files you're going to change first before running the command:
# find / -maxdepth 5 | grep -i .bash_history | \ while read user; do echo "$user"; done
If you decide you don't like limiting the ability for users to edit that file, you can simply remove the "append only" attribute using a minus instead of a plus sign before the a
(as root):
# chattr -a ~chrisbinnie/.bash_history
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.