The history command adds time to the history

Linux Under the system, it can pass history Command to view all the historical operation records of the user , But by default ,history The command can only view the user's historical operation records , It doesn't distinguish between users and operation time , It is not convenient for audit analysis .

Of course , Some bad operating habits may also leak sensitive information through command history .

Add time to command history

By setting export HISTTIMEFORMAT=’\%F \%T ‘, Bring command execution time to history .

This configuration can be written in /etc/profile in , Of course, if you want to configure the specified user , This configuration can be written in /home/\$USER/.bash_profile in .

unset i
unset -f pathmunge
export HISTTIMEFORMAT='%F %T '

For the configuration to take effect immediately, execute source /etc/profile, Check it again history Record , You can see the command execution time in the record .

 1012  2021-03-22 13:59:10 vim /etc/profile
 1013  2021-03-22 13:59:18 source /etc/profile
 1014  2021-03-22 13:59:22 history

If you want to achieve more detailed records , For example, users who have logged into the system 、IP Address 、 Operation command and operation time correspond one by one , It can be done by /etc/profile Add the following code to achieve .

export HISTTIMEFORMAT="%F %T `who -u 2>/dev/null | awk '{print $NF}'|sed 's/[()]//g'` `whoami` "

  modify /etc/profile And after loading ,history Record the following , Time 、IP、 The users and the commands they execute all correspond one by one

 1042  2021-03-22 14:20:39 124.193.98.180 root vim /etc/profile
 1043  2021-03-22 14:20:52 124.193.98.180 root source /etc/profile
 1044  2021-03-22 14:20:53 124.193.98.180 root history

Through the above configuration , We can basically meet the daily audit work , But it should be easy for people who know the system to see , This method just sets the environment variables , The attacker unset Drop this environment variable , Or just delete the command history , For safety emergency , This is undoubtedly a disaster .

In response to such questions , We should revise it bash Source code , Give Way history The record passed syslog Send to remote logserver in , Greatly increased the attacker's ability to history The difficulty of recording integrity damage .