Hardening Linux Bash History: Timestamps and Syslog Integration

Limitations of the default history command

On Linux the built‑in history command records only the command line strings. It does not include execution timestamps, the originating user, or the source IP address, which makes forensic analysis and audit correlation difficult. Additionally, careless command usage can expose sensitive data.

Adding timestamps to Bash history

Define the environment variable HISTTIMEFORMAT='%F %T ' (note the trailing space) to prepend each history entry with the date and time. For a system‑wide setting, add the line to /etc/profile; for a single user, add it to ~/.bash_profile. After editing, apply the change with:

source /etc/profile   # or source ~/.bash_profile

Subsequent history output will display timestamps.

Recording user, IP address, and command together

To capture the current user, the client IP (when accessed via SSH), and the command in each history line, extend HISTTIMEFORMAT with command substitution:

export HISTTIMEFORMAT="%F %T \\`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'\\`\\`whoami\` "

Reload the profile (e.g., source /etc/profile). Each entry will now contain the timestamp, remote IP, and username.

Drawbacks of environment‑variable based logging

Because the logging relies on shell environment variables, an attacker with shell access can unset the variables or delete ~/.bash_history, erasing evidence. A more robust solution is to send history records to the system logger (syslog) from the Bash binary itself.

Redirecting Bash history to syslog by modifying the source

Obtain Bash source code (e.g., version 4.4) from the GNU website: https://www.gnu.org/software/bash/ . Install build dependencies such as gcc , make , and libc6-dev .

Extract the source and edit bashhist.c to adjust how history entries are formatted (the original article shows the file but the exact changes are visual; typically you would replace the default write_history routine with a call to syslog() ).

Enable syslog support by editing config-top.h and uncommenting the line: #define SYSLOG_HISTORY Configure the build prefix to avoid overwriting the system Bash:

./configure --prefix=/usr/local/bash
make
make install

This installs the new binaries under /usr/local/bash .

Replace the default shell with the newly built Bash. Recommended steps:

Back up the original binary: cp /bin/bash /bin/bash.bak Copy the new binary: cp /usr/local/bash/bin/bash /bin/bash (ensure executable permissions with chmod +x /bin/bash).

Alternatively, change the user’s login shell in /etc/passwd to /usr/local/bash/bin/bash.

Verify that history entries are now sent to the syslog facility. By default they appear in /var/log/message (or /var/log/syslog depending on the distribution). Use tail -f /var/log/message while executing commands to see live logging.

Forwarding logs to a remote syslog server

Configure the system’s syslog daemon (e.g., rsyslog or syslog-ng) to forward messages from the auth or user facility to a remote log collector. Example rsyslog snippet: *.* @remote‑log‑server:514 After reloading the syslog service, Bash history will be transmitted securely to the remote server, providing tamper‑resistant audit trails.

Result

By compiling Bash with SYSLOG_HISTORY enabled and directing history output to syslog, the command history becomes resistant to local manipulation, offering reliable forensic data for security audits and incident response.