allow disabling command history or restrict the number of saved commands

[matthieumarrast]

Problem

In the module HOME directory, the file .bash_history stores the history of the commands seized by the module user (mfserv, mfdata, mfbase... etc...). These commands can be accessed using command history.

During a security audit on february 2024, we have detected in this command history somme commands that can leak sensitive data or operations.

We recommend to remove the command history

Solution

Add a configuration in metwork module in order to disable the command history (can be useful in production environment) or to restrict the number of saved commands.

In the module config, we can add:

[misc]
# Enable/disable command history
# Default: 1 (enabled)
command_history=1
# Number of commands in history
# default: unlimited
# command_history_size=10

It will results to execution of below command in the module bash_profile or bashrc: If command_history=0:

unset HISTFILE

If command_history_size=10:

export HISTSIZE=10

[matthieumarrast]

Workaround

To disable history for a mewotk user, add unset HISTFILE in ~/.metwork.custom_profile

[thebaptiste]

This will be done at admin level on exposed machines. We will not complicate module configuration for this need. So I think we can close this issue ?

[matthieumarrast]

Yes we can close. Below a command for disabling the history fil for all the modules, as root:

for module in mfserv mfbase mfdata mfsysmon; do echo "unset HISTFILE" | tee /home/${module}/.metwork.custom_profile >/dev/null 2>&1 && chown ${module}:metwork /home/${module}/.metwork.custom_profile >/dev/null 2>&1 || true; done