ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF001.002
  • Created: 25th May 2024
  • Updated: 09th June 2024
  • Platforms: Linux, MacOS
  • Contributor: The ITM Team

Clear Bash History

A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost.

On Linux-based operating systems different terminal software may store command history in various locations, with the most common being /home/%username%/.bash_history. Using the command history -c will clear the history for the current session, preventing it from being written to .bash_history when the session ends.

On MacOS the Terminal utility will write command history to /Users/%username%/.zsh_history or /Users/%username%/.bash_history based on operating system version.

Prevention

ID Name Description
PV001No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Detection

ID Name Description
DT054.bash_history Timestamp Discrepency

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file has a Created timestamp, but a user has used a shell utility previously, this may indicate the file was deleted and manually or automatically re-created.

DT053Missing .bash_history File

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file is missing, this could indicate that it has been deleted, if a user account has used a shell utility previously.