from Michael Reber

Basic bash history configuration in Rocky Linux 9

Linux, Engineering

In a modern IT environment, where efficiency and security are crucial, the correct configuration of the bash history of every Linux server plays an important role.

This is particularly relevant in order to be able to determine at any time which user is executing which commands and in which order they have done so. This also applies if the user accesses the same systems simultaneously via several SSH sessions or if so-called service users are used. Rocky Linux 9, as a robust and secure operating system, offers a solid basis for your application server, as does the paid version Red Hat Enterprise Linux 9. In the standard configuration of both systems, however, the bash history is limited and only saves the last 1000 commands. Also, by default, the commands already executed are only written to the user history when the user session is terminated and not directly after each new command is issued. This does not offer live logging and is also problematic when using several sessions at the same time, as only the commands of the first SSH session can be logged.

In this short blog post, we explain how this problem can be easily overcome to ensure comprehensive traceability, which is essential for effective security monitoring and compliance.

To enable a simple and lean configuration of the bash history, let's take a look at the directory /etc/profile.d/ in more detail.

Why /etc/profile.d/ ?

This special directory allows us to execute user-defined scripts for all users each time a new bash or login shell is started and, as in our case, to define environment variables. The use of /etc/profile.d/ in contrast to a .bashrc provides a system-wide approach that ensures our configurations are applied consistently across the entire system without the need to manually customise individual user profiles.

The configuration

This configuration is quick and easy. The biggest challenge is defining the correct environment variables, which we have already done for you here. In the directory /etc/profile.d/For example, using the editor vim, a new file is created as follows
# vim /etc/profile.d/bash_history.sh The name of the file can be freely chosen, the only important thing is that it starts with .sh ends and is executable. We go into insert mode 'i' add the following content. We then save with 'ESC‹ – :wqENTER:

export HISTSIZE=-1
export HISTFILESIZE=-1
export HISTTIMEFORMAT="[%F %T] "
export HISTCONTROL=ignoredups
export PROMPT_COMMAND="history -a; $PROMPT_COMMAND"

To ensure that the file is executed correctly with the next shell logon as intended, it must be made executable. We achieve this with the command:
# chmod +x /etc/profile.d/bash_history.sh

Our adjustments have the following effect:

  • Unlimited history (HISTSIZE and HISTFILESIZE on -1): In contrast to the standard limit of 1000 commands, the -1 the storage of an unlimited number of commands in the history. Old entries <1000 are therefore no longer automatically deleted and are retained.
  • Timestamp (HISTTIMEFORMAT): In addition to the numbering, each command in the history also receives a timestamp. This is particularly important in order to understand which employee executed which commands in which order, even if there are several simultaneous sessions.
  • Avoid duplicates (HISTCONTROL=ignoredups): This setting prevents repeated commands from being included in the history immediately one after the other, which greatly increases clarity.
  • Immediate history append (PROMPT_COMMAND): By setting history -a (append) and the variable $PROMPT_COMMANDThe history append, which contains the user's actual command, is also executed for each new command (prompt command). This ensures that no data is lost even if one of the SSH session(s) is interrupted. This is also crucial for integration into security monitoring systems.

Significance for SIEM systems

Immediate logging of commands issued by users or administrators also plays a central role in real-time security monitoring, especially when using a SIEM system or log management with Elasticsearch. Only by immediately forwarding all typed commands to the SIEM is real-time monitoring and analysis possible, which is essential for detecting security incidents on UNIX systems. The configuration presented here facilitates forensic tasks enormously by ensuring that every command is immediately available for forwarding with Filebeat (Elastic's agent) and subsequent analysis by every user, with an exact time stamp.

Conclusion

By implementing this simple bash history configuration, IT professionals can ensure a higher level of security and compliance with little effort. Combined with a powerful SIEM solution such as Elasticsearch, this configuration provides a robust foundation for monitoring and analysing command execution in real time, which is essential in today's fast-moving IT infrastructure.

Photo of author

Michael Reber

Years of experience in Linux, security, SIEM and private cloud

Hinterlassen Sie einen Kommentar

eight + 18 =

en_GB