How to Harden Linux Bash History: Timestamps, IP Logging, and Syslog Integration

In Linux, the history command records user commands but by default lacks timestamps and user identification, limiting its usefulness for security auditing.

1. Add timestamps to history

Set the environment variable HISTTIMEFORMAT='%F %T ' to include date and time in each entry. Place this line in /etc/profile for system‑wide effect or in ~/.bash_profile for a specific user, then reload with source /etc/profile.

After reloading, history displays entries with execution time.

2. Record user, IP, and command together

Append a more complex export to /etc/profile that captures the current user, IP address, and command:

export HISTTIMEFORMAT="%F %T `who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'` `whoami` "

All spaces are required. Once applied, each history line shows time, IP, user, and the executed command.

3. Send history to syslog for tamper‑resistance

Modify the Bash source to enable syslog history. Download Bash (e.g., version 4.4) from GNU, edit bashhist.c and uncomment the #define SYSLOG_HISTORY line in config-top.h. Recompile with ./configure --prefix=/usr/local/bash and install.

Replace the system Bash binary (after backing it up) and ensure it has executable permissions. The new Bash writes history entries to /var/log/message. To forward them to a remote log server, configure the syslog daemon accordingly.

These steps provide more detailed, immutable command logs, helping security teams perform reliable forensic analysis and preventing attackers from erasing or altering history records.