search
Page cover

clock-twelveTimestamps + History

Accurate timestamps are crucial for investigations. In this post we'll extend the bash shell to display the date/time during command execution and how to include the timestamp in the history file.

hashtag
Interactive shell

For investigative purposes, I like to keep track of my tasks. When reviewing system logs, I rely on Bash tools for tasks such as log parsing to identify suspicious or malicious activity, including unauthorized access or command execution. To aid this process, I configure my environment's PS1 to display the exact time each command is executed. This is particularly helpful when generating a timeline of findings.

circle-info

hashtag
What is PS1?

In the Bash environment, PS1 stands for "Prompt String 1." It is the primary prompt string that Bash displays to indicate that it is ready to accept a command. You can customize PS1 to include various information, such as the current user, hostname, working directory, datetime, and other details.

Below is a sample PS1 configuration parameters:

# file ~/.bashrc
... # right at the end
export PS1='\[\e[1;0m\]\D{%m/%d/%Y %H:%M:%S} \[\e[1;36m\]\u@\h \[\e[33m\]\w\[\e[0m\]\n \$ » '

This will set your interactive shell to this:

Screenshot of the PS1 sample configuration above.
circle-info

You can also add the PS1 environment variable to the /etc/skel/.bashrc file to make it available for newly created users in the system that will use the bash shell.

hashtag
History command

Ever since I started using the Bash shell, the history command has been one of my favorite features. Whether it’s hitting Ctrl+r to search for that one command I forgot the parameters for or simply typing history and using grep to find it, it has always been incredibly useful. When I began working in cyber defense and securing systems, one of the first things I did was add the following snippet to /etc/skel/.bashrc (or /etc/skel/.zshrc if you prefer Zsh) and my user's ~/.bashrc:

This allows for any newly created user that uses the bash shell to automatically set the timestamp configuration of HISTTIMEFORMAT variable on their interactive shell environment.

Below is the testing of the above configuration by executing the history command:

history command output with timestamps.

hashtag
Notes

hashtag
Key Points to Keep in Mind About the Bash Shell Environment, History Command, and Timestamps

  • Customize the .bashrc File: Modify the .bashrc file in your system templates or images, ideally maintaining a universal version in /etc/skel (its intended purpose). This ensures consistent CLI activity logging, which is especially valuable when investigating potential threats or unauthorized system access.

  • Utilize the history Command or .bash_history File: Check the history command or the .bash_history file during investigations to uncover evidence of potential unauthorized access or malicious activity within your network.

  • Enable Timestamps for Improved Investigations: Configuring timestamps in the history file and enabling them in the interactive shell can significantly aid investigative efforts on Linux systems, providing a clearer timeline of command execution.

hashtag
References

LogoControlling the Prompt (Bash Reference Manual)www.gnu.orgchevron-right
Controlling the Prompt
LogoBASH Shell Change The Color of Shell Prompt on Linux or UNIXnixCraftchevron-right
Bash shell color change how-to
Logobash prompt variables - Linux - SS64.comss64.comchevron-right
bash prompt variables
LogoWhat is PS1 Variable in Bash? [3 Customization Examples]LinuxSimplychevron-right
PS1 information and customization examples.
PreviousTicoNextGot Auditd? - Part 1

Last updated