Best Practices For Managing Bash History

ByThe Aha Unix Team

Controlling Bash History Storage

The Bash shell stores previously entered commands in a history list which allows you to access and reuse them. However, unchecked storage of command history can use up system resources and expose sensitive information. Fortunately, Bash provides configuration options to control how much history is saved and exclude sensitive commands.

Setting HISTSIZE and HISTFILESIZE to limit history size

The HISTSIZE and HISTFILESIZE variables control the maximum number of commands stored in the Bash history list and history file respectively. By default, Bash saves the last 500 commands entered by a user. To alter this behavior, the HISTSIZE and HISTFILESIZE variables can be set to different numeric values in the Bash startup scripts like ~/.bash_profile.

For example, adding the lines below will restrict the history list size to 100 commands and history file size to 200 commands:

HISTSIZE=100
HISTFILESIZE=200

This ensures Bash history does not grow unchecked and overwrite system resources. The appropriate history size limit depends on your usage needs and available storage capacity.

Configuring HISTIGNORE to exclude unwanted commands

You may wish to exclude commands containing certain strings or patterns from Bash history. This prevents sensitive data like passwords and API keys from being stored. The HISTIGNORE variable can be set to match unwanted commands and exclude them from being saved in history.

Example: Exclude commands starting with space

A common convention is using space at the start of a command line to mark it as private and not to be stored in history. This can be achieved by setting HISTIGNORE as follows:

HISTIGNORE=' *[ ]'

Now any command line starting with a space character will not be present in history after it is entered. This provides an easy way to keep sensitive commands out of stored history.

Protecting Sensitive Commands in Bash History

In cases where sensitive commands cannot be excluded from Bash history using HISTIGNORE, additional steps can be taken to prevent exposing passwords, API keys and other private data through stored history.

Using unset to prevent sensitive data in history

The unset command can be used to delete variables containing sensitive strings or data immediately after providing them on the command line. This prevents the sensitive strings from remaining in shell memory and being copied into Bash history.

For example, consider a command like below to authenticate using a cloud provider API key stored in a variable:

  
aws configure set aws_access_key_id $API_KEY

This can be modified as follows to unset the API key variable immediately after configuring authentication:

aws configure set aws_access_key_id $API_KEY
unset API_KEY

The API credentials are removed from the shell’s memory and will not be present in the history after entering the unset command.

Clearing the history after sensitive commands

An alternative approach is to clear the Bash command history immediately after entering any sensitive commands. This can be done via a function or script which runs the following after sensitive commands:

history -c
history -w

This clears the current in-memory history and also truncates the history file to empty. No commands entered prior to this point will be stored in future Bash history.

Example: Clear history after AWS CLI commands

As an example, consider setting up a shell function to clear history after using AWS CLI to manage cloud resources:

  
function aws_secure {
  aws $1 // passes arguments to aws cli 
  history -c
  history -w
}

Now wrap AWS cli commands like:

aws_secure s3 ls my-bucket

This will clear history immediately after running the aws cli command, preventing any secrets, access keys etc. from being stored.

Enhancing Bash History Search and Recall

Bash history storage serves little purpose if previously entered important commands cannot be quickly searched through and recalled when needed again. Fortunately, Bash provides customizable history search and recall capabilities.

Setting HISTCONTROL for convenient history recall

The HISTCONTROL variable manages how commands from history are recalled and executed by Bash. One useful setting is:

 
HISTCONTROL=ignoredups

This tells Bash to ignore duplicate entries when recalling commands from history. Now a command can be recalled by number from history (e.g. !148) without risk of executing it twice if present multiple times.

Using history command with options like -p and -a

The built-in history command provides powerful capabilities to search and recall previous commands entered. Useful options include:

  • -p: Performs history expansion on a provided string, used within command substitution
  • -a: Appends history lines from current session to history file
  • -r: Reads saved history lines appending them to current session

Refer to history command manual for additional capabilities.

Example: Search through command history interactively

The following prompt code enables interactive search through previous command history:

history -r # reload history 
echo "history search"
while read -p ">" cmd; do
  history -p "!$cmd"
done

This reloads history lines from file, then prompts for text to search. Entering a string lists commands containing it allowing them to be easily recalled.

Bash History Persistence and Sharing

By default Bash shell history is usually lost when sessions end. Enabling history persistence allows you to record important command sequences for analyzing long term usage patterns and sharing tricks with other users.

Saving Bash history across sessions with HISTFILE

The HISTFILE variable specifies where Bash shell history is saved by default. To enable persistence, set this location to a shared file rather than one reset on reboot:

HISTFILE=~/.bash_eternal_history

Now command history from all sessions is recorded to the same file allowing long term storage.

Sharing selected Bash history with history -w

Instead of exposing your entire command history, selected useful snippets can be shared using:

  
history -w /tmp/my_useful_commands

This writes the current in-memory history to the specified file. An appropriate subset of commands can be selected before executing this.

Example: Append only git commands to external history file

To store an ongoing record of git commands entered, the following can be added to .bashrc:

export GIT_HISTORY=/tmp/my_git_commands  
alias githis='history -a $GIT_HISTORY'

Now git commands can be appended to file with:

  
git commit -m "changes"
githis

The external file preserves all git commands sequentially for sharing or personal reference.

Leave a Reply

Your email address will not be published. Required fields are marked *