Page cover

Timestamps + History

Accurate timestamps are crucial for investigations. In this post we'll extend the bash shell to display the date/time during command execution and how to include the timestamp in the history file.

Interactive shell

For investigative purposes, I like to keep track of my tasks. When reviewing system logs, I rely on Bash tools for tasks such as log parsing to identify suspicious or malicious activity, including unauthorized access or command execution. To aid this process, I configure my environment's PS1 to display the exact time each command is executed. This is particularly helpful when generating a timeline of findings.

What is PS1?

In the Bash environment, PS1 stands for "Prompt String 1." It is the primary prompt string that Bash displays to indicate that it is ready to accept a command. You can customize PS1 to include various information, such as the current user, hostname, working directory, datetime, and other details.

Below is a sample PS1 configuration parameters:

# file ~/.bashrc
... # right at the end
export PS1='\[\e[1;0m\]\D{%m/%d/%Y %H:%M:%S} \[\e[1;36m\]\u@\h \[\e[33m\]\w\[\e[0m\]\n \$ » '

This will set your interactive shell to this:

Screenshot of the PS1 sample configuration above.

You can also add the PS1 environment variable to the /etc/skel/.bashrc file to make it available for newly created users in the system that will use the bash shell.

History command

Ever since I started using the Bash shell, the history command has been one of my favorite features. Whether it’s hitting Ctrl+r to search for that one command I forgot the parameters for or simply typing history and using grep to find it, it has always been incredibly useful. When I began working in cyber defense and securing systems, one of the first things I did was add the following snippet to /etc/skel/.bashrc (or /etc/skel/.zshrc if you prefer Zsh) and my user's ~/.bashrc:

This allows for any newly created user that uses the bash shell to automatically set the timestamp configuration of HISTTIMEFORMAT variable on their interactive shell environment.

Below is the testing of the above configuration by executing the history command:

history command output with timestamps.

Notes

Key Points to Keep in Mind About the Bash Shell Environment, History Command, and Timestamps

  • Customize the .bashrc File: Modify the .bashrc file in your system templates or images, ideally maintaining a universal version in /etc/skel (its intended purpose). This ensures consistent CLI activity logging, which is especially valuable when investigating potential threats or unauthorized system access.

  • Utilize the history Command or .bash_history File: Check the history command or the .bash_history file during investigations to uncover evidence of potential unauthorized access or malicious activity within your network.

  • Enable Timestamps for Improved Investigations: Configuring timestamps in the history file and enabling them in the interactive shell can significantly aid investigative efforts on Linux systems, providing a clearer timeline of command execution.

References

LogoControlling the Prompt (Bash Reference Manual)www.gnu.org
Controlling the Prompt
LogoBASH Shell Change The Color of Shell Prompt on Linux or UNIXnixCraft
Bash shell color change how-to
Logobash prompt variables - Linux - SS64.comss64.com
bash prompt variables
LogoWhat is PS1 Variable in Bash? [3 Customization Examples]LinuxSimply
PS1 information and customization examples.
PreviousTicoNextGot Auditd? - Part 1

Last updated