So, you have run some commands on a Linux machine that you don't want others to see? For example, I like to use chpasswd to change a password in the system because this way it's more visual.
However, anyone who has access to the root account (knowing the root password, or if they are present in the sudoers file) could see the sensitive information.
To prevent this, we need to delete those last commands from the bash history log.
You could edit the history log file in the user's home directory (~/.bash_history), but that case you would leave your traces. If someone checked the log, they would see that you edited the bash history log for some reason.
You want to delete all traces. So, what can you do?
1. Remove last part of the history from the machine itself
One neat technique is to exploit the fact that you can delete a certain line from history. In our case we want to delete line 336 and everything after it.
If we delete line 341, then 342 becomes 341, and so on so forth.
That means we simply need to delete line 339 that many times as how many lines we have after it, plus one (which is our delete command itself).
Let's take an example.
In this case in line 337 of the history log we have the information we want to remove and everything after is as it would have never happened.
We will use the history -d command to accomplish it, which will eventually become entry 342 in history. So, we want to run the "history -d 337" command six times. We can do that in multiple ways:
for i in $(seq 337 342); do history -d 337; done
# We don't care about the "i" variable, nor any sequence numbers. They are only there because it's simpler to make the computer calculate the proper number of how many times to run the command after the "do" part. We can achieve the same this way:
for i in {1..6}; do history -d 337; done
This is how our history looks like after our command. Everything is deleted after line 337, which entry contained our password earlier. Now it only contains the command "history" that we've just used to list the history log.
2. Simply delete the history log remotely
As a less elegant alternative solution, we can simply remove the bash history file from the computer remotely, using another box.
The log file that needs to be gone is called .bash_history, and it's located in the home directory of the specific user who's command history we want to wipe.
The important thing is that we'll use SSH and the user account we authenticate with needs to have write access for the bash log file.
For the root it's simple, as the superuser has access to all files in the filesystem. However, many times the root account is not allowed to use SSH, or we simply don't know it's password.
That case we can use a regular user to SSH into the box. If we use a regular user make sure it's added to the sudoers file with the NOPASSWD attribute, so they can use sudo to run the rm command with root privileges!
Here is an example sudoers entry for user zsolt to run the rm command with elevated permissions:
# Remove bash history with root credentials ssh root@10.0.0.100 'rm /root/.bash_history' # Remove bash history with user credentials, which user has sudo privileges as discussed earlier ssh zsolt@10.0.0.100 'sudo rm /root/.bash_history'
Enjoy 🙂
Comments