How to Harden Linux Bash History: Timestamps, User/IP Logging & Syslog Integration

1. Add timestamps to Bash history

By default, history shows only commands. Set the environment variable export HISTTIMEFORMAT='%F %T ' (note the trailing space) to record the date and time of each command. Place this line in /etc/profile for system‑wide effect, or in a user’s ~/.bash_profile for per‑user configuration. After re‑sourcing the profile ( source /etc/profile), the history output includes timestamps.

2. Record user, IP and command together

To capture the current user and IP address alongside each command, add the following snippet to /etc/profile (or the appropriate user profile):

export HISTTIMEFORMAT="%F %T $(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')"

This command extracts the logged‑in username (and can be extended to include the source IP) and appends it to the timestamp, ensuring each history entry contains time, user, and command.

3. Modify Bash source to enable syslog logging

For stronger protection, modify Bash itself so that every command is sent to syslog, making it harder for an attacker to delete or alter the logs.

Download the Bash source (e.g., version 4.4) from gnu.org . Edit bashhist.c to add syslog calls (the exact changes are shown in the original article’s screenshot). Then edit config-top.h and uncomment the line #define SYSLOG_HISTORY.

Compile and install Bash with:

./configure --prefix=/usr/local/bash
make
make install

The resulting binary can replace the system’s original /bin/bash (after backing up the original). Ensure the new binary has executable permissions.

4. Verify syslog integration

After replacement, Bash writes each command to the syslog facility, typically appearing in /var/log/messages. You can configure your syslog daemon (e.g., rsyslog or syslog-ng) to forward these entries to a remote log server for centralized storage.

By combining timestamped history, user/IP tagging, and syslog forwarding, you obtain a tamper‑resistant audit trail that survives attempts by attackers to unset environment variables or delete the ~/.bash_history file.