To maintain Bash history logs for users on a Linux system in a way that prevents users from deleting them, you can follow these steps: Centralize Bash History Logs: - Redirect users' Bash history to a centralized location that normal users cannot modify. This can be done by setting the HISTFILE environment variable in a global configuration file like /etc/profile or /etc/bash.bashrc (this has likely to be done in the jail). - For example, add a line like export HISTFILE=/var/log/user_history/${USER}_history.txt. This will save each user's history in a separate file in /var/log/user_history/. Create a Dedicated Directory for History Logs: - Create a directory for the history logs, e.g., /var/log/user_history/. - Set appropriate permissions so that only root or a designated administrator can modify or delete these files. Make the History Files Append-Only: - Use the chattr command to make history files append-only. This means that once a line is added to the history file, it cannot be modified or deleted by the user. - For example, sudo chattr +a /var/log/user_history/*.txt. Configure Bash to Log Everything: - In /etc/bash.bashrc or /etc/profile, you can set additional Bash history options. For example: - export HISTSIZE=5000 to increase the size of the history. - export HISTFILESIZE=5000 to increase the size of the history file. - export HISTCONTROL=ignoredups:erasedups to ignore duplicate entries. - export PROMPT_COMMAND='history -a' to append history to the file after every command. Restrict Users from Modifying Global Configuration Files: - Ensure that files like /etc/profile, /etc/bash.bashrc, and others are only writable by the root user. This prevents users from changing the environment variables that control the history behavior. Periodic Backup and Monitoring: - Regularly back up the history files to a secure location. - Implement monitoring to detect any unauthorized changes or attempts to modify the history files. Inform Users: - It’s important to inform users about these changes, especially if it’s in an environment where such monitoring might affect user privacy or trust. These steps assume that users are not using shells other than Bash, as different shells have different history mechanisms. So you might have to test if this works also with the jailkit shell or if there are other mechanisms in this case.
