This note documents detection patterns related to history tampering on Linux systems.
Direct Indicators
| Artifact | String / Signal | Detection Use | Forensic Value | Notes |
|---|
| bash history | missing recent commands | Detect removed shell evidence | Critical | Session activity exists elsewhere but history absent |
| bash history | history -c | Detect explicit clearing | Critical | Direct shell history wipe |
| bash history | unset HISTFILE | Detect disabling history writes | Critical | Prevents persistence of command trail |
| bash history | export HISTFILE=/dev/null | Detect redirected history sink | Critical | Common stealth pattern |
| shell config | HISTSIZE=0 | Detect disabled history retention | High | Prevents command storage |
| shell config | HISTFILESIZE=0 | Detect no file retention | High | Often set temporarily before actions |
| shell config | set +o history | Detect shell history disabled | High | Session-local stealth |
| shell config | .bash_history timestamp gaps | Detect inconsistent timeline | High | Missing commands during suspicious window |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Authenticated session but no history | SSH logon exists but no shell commands | Critical | Strong anti-forensic signal |
| History ends abruptly | Commands stop before suspicious event | High | May indicate cleanup |
| Commands seen in journald but absent in history | Shell evidence mismatch | Critical | Confirms tampering |
| Root shell with empty history | High-value account lacks activity | Critical | Often deliberate |
| Recent file mtime but old content | History rewritten | High | Manual edit possible |
Common Tools
| Tool | Usage |
|---|
| bash builtins | history -c, unset HISTFILE |
| sed | Delete lines from history |
| truncate | Empty history file |
| rm | Remove history file |
| manual editing | Rewrite selected commands |
Relevant Artifacts
/home/*/.bash_history/root/.bash_history/home/*/.zsh_history/etc/profile/etc/bash.bashrc/home/*/.bashrc/home/*/.profileauth.logjournalctl- shell session timestamps
- file metadata for history files
MITRE ATT&CK References
- T1070 Indicator Removal on Host
- T1070.003 Clear Command History
Decision Tree
- Was there an authenticated session?
- Confirm via auth.log / journald.
- Does history exist?
- Compare user shell history.
- Is history incomplete?
- Identify suspicious gaps.
- Pivot:
- journald
- auth.log
- process execution
- Confirm anti-forensics
- Match session time against missing commands.
Example Detection Templates
Grep
grep -R "unset HISTFILE\|history -c\|HISTSIZE=0\|HISTFILESIZE=0\|set +o history" /home /root /etc 2>/dev/null
Journalctl
journalctl | grep -Ei "history|bash"
File Metadata
stat /root/.bash_history
stat /home/*/.bash_history
Timeline Correlation
grep "Accepted" /var/log/auth.log
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Auditd | Record shell execution independently | Critical | Survives history deletion |
| Central logging | Forward auth and shell events | Critical | Preserves evidence |
| Shell restrictions | Restrict root shell abuse | High | Limits stealth |
| Session recording | Enable shell session capture | High | Strong forensic value |
| File integrity monitoring | Monitor history files | Medium | Detects tampering |
