Disable the ability to hide Bash command history

Solution 1:

There are a couple of things that you can do but ultimately for a sufficiently sophisticated user they can easily be bypassed.

You can set the relevant history control variables (HISTFILE,HISTFILESIZE,HISTSIZE,HISTCONTROL,HISTIGNORE) to values that you want and make them readonly. Do this in a convenient system wide initialisation file that users cannot edit. So for example you could set

readonly HISTFILE=~/.bash_history
readonly unset HISTCONTROL 

or

readonly HISTCONTROL=ignoredupes

This though doesn't stop the user from editing the $HISTFILE and removing commands from it or deleting the file and then linking it to /dev/null so that commands are again hidden.

You can solve this by making the $HISTFILE append only with chattr

chattr +a /home/alice/.bash_history

Now the .bash_history can't be changed, only added to (don't forget to put some sort of pruning in place). We can see everything the user does ... nope,

It is easy for the user to bypass these restrictions

• They can run another shell (there are several available). Sure you can stop them from executing these but that can cause unexpected problems elsewhere too.
• They can run bash --norc --noprofile which bypasses all of the initialization scripts, they can then trivially source a script containing the settings/initialisation they want. You'll be able to see they did this but not what they subsequently did.

If you want to be able to log a users activity in a manner that they cannot circumvent then you need to use auditing not history.