Saving the command history is often regarded as a useful Linux terminal feature. By reviewing the history, users can better understand what changes have been made to a system or remind themselves of an important command they recently used. However, there are many security implications associated with saving the command history, which can affect both users and attackers.

Commands entered in the terminal are tracked using the HISTFILE environment variable and are written to the ~/.bash_history file when a user logs off. As the text submitted in the terminal is saved, it is possible for credentials and passwords to be stored as plaintext in the ~/.bash_history. This can be useful for attackers when attempting to find credentials.

One way a user can prevent credentials from being recorded is by starting each command with a leading space character. For example the command " echo 'hello world'" will not be saved, whereas "echo 'hello world'" will be. Alternatively, users can suspend and resume the recording of their history by entering set +o history and set -o history in the terminal.

Although prefixing commands with a space can be used to prevent sensitive information from being saved, the same approach can be used by attackers to prevent their commands from being recorded. To prevent users from hiding commands, the HISTCONTROL variable can be set to "ignoredups", and users prevented from changing the environment variable. This will ensure all commands are captured and stored in the bash history.

As well as modifying the HISTCONTROL variable, attackers have been known to use a range of techniques to clear their command history. One way to evade detection is by clearing or deleting the bash history with commands such as history -c or rm ~/.bash_history. Alternatively, setting the history file’s size to 0 with export HISTFILESIZE=0 will ensure no commands are recorded.

There are several ways administrators can detect suspicious behaviour involving the command history. For example, instances where users have authenticated without new commands being entered in the bash history can be considered suspicious, as well as any modifications to HISTFILE or HISTFILESIZE variables. Furthermore, users reading the history file with commands such as cat can also be considered suspicious, as genuine users typically access their command history using the history tool.

In this lab you will need to review the command history on the host machine and identify the credentials used to access the remote machine with SSH.