Hiding from Bash history
Mon 1st Oct 18
Have you ever logged in to a Linux box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are to hide this mistake. This is what I came up with, please get in touch if you have any other ideas.
- exit normally - The history is written as normal.
- kill <bash process ID> - Ran server side - No history written. I checked to see if the -9 is required but it isn't, just a basic kill shuts down the process with enough of a shock to stop it writing the file.
- kill <ssh process ID> - Ran client side - The history is written, even with a -9.
- set +o history - Does not write any of the current session to the log. Can be ran at any time during the session and will hide all commands.
- set -o history - Turns logging back on but logs the set command so obvious something has happened.
- unset HISTFILE - Clears the variable which says where the history file is stored to so nothing is stored.
- history -c - Completely clear the history. Very visible as all history is now gone.
- export HISTIGNORE="ls*:cat*" - A colon separated list of commands to not log. The commands can use shell patterns which are similar to regular expressions but not the same.
- export HISTFILESIZE=10 - Set the number of commands written to the file to 10. If you've done something you want to hide but want to leave some commands, count back, set the size to less than the total and continue working. All previous history will be gone so may look suspicious but as there will be something there it may not be noticed.
- editing the .bash_history file - If you edit the file in the middle of a session, the edits will appear before the commands for your session, this might be a nice way to add some commands to the history without actually running them.
- using multiple sessions - The bash history file is written to as a session is terminated so using two sessions, the first to terminate will write first, then the second will write as it terminates.
- putting a space before a command - Depending on the configuration, putting a space before a command will stop it being logged, not much use if you've already typed stuff you do not want logged but maybe useful to slip a couple of commands in between otherwise innocent looking ones. Test this before you rely on it as it varies from distro to distro and each user's own configuration. For more information see this blog post: Using Bash History More Efficiently: HISTCONTROL
- history -r - Running this will re-read the history file, effectively resetting the history back to how it was when you logged in. This seems like a very useful command, especially as you can edit the history file, issue the command, then close the shell. This will write out your amended history with no evidence of the changes.
Based on all of these, it looks like "set +o history" is probably the best general purpose method as it hides all the commands used in the current session but retains the previous history however some of the other techniques may help in different scenarios
Make sure you try these out before you need to rely on them, if you are on a box and realise you need something hiding, don't panic, the history is only written at the end of a session, so as long as your connection is stable then you have time to stop, think and do some research, before acting. Caveat: this can be overridden to write on every command says @JPoForenso.
And before someone shouts "But I use <blah shell>, not Bash, so I'm protected against these", yes, you may be, but the day I land on a production box that isn't running Bash, is the day I'll start looking at them.