How to Harden Bash History: Timestamps, IP Logging, and Syslog Integration

Linux's history command records user commands but lacks timestamps and user identification, limiting audit usefulness.

1. Add timestamps to history

Set the environment variable HISTTIMEFORMAT='%F %T ' (note the space after %T) in /etc/profile or a user's ~/.bash_profile to include execution time in history output.

After reloading the profile with source /etc/profile, history shows timestamps.

For more detailed logs that include the login user, IP address, command, and time, add the following line to /etc/profile:

export HISTTIMEFORMAT="%F %T `who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'` `whoami` "

Now each history entry records time, IP, and user.

2. Modify Bash source to send history to syslog

Download Bash source (e.g., version 4.4) from GNU, edit bashhist.c as needed, and enable syslog support by uncommenting #define SYSLOG_HISTORY in config-top.h.

Compile and install Bash with:

./configure --prefix=/usr/local/bash
make
make install

Replace the system Bash binary (after backing it up) and ensure it has executable permissions.

After replacement, history entries are written to /var/log/messages. To forward them to a remote log server, configure the system's syslog daemon accordingly.

These steps provide a more tamper‑resistant audit trail, preventing attackers from easily erasing or altering command history.