[KMag]

I had been in the habit of symlinking ~/.bash_history to /dev/null to avoid AFS/NFS writes on every local command execution. When I moved over to the financial industry, it didn't occur to me that such a symlink might look like an attempt to evade monitoring. A year or two in, I realized it didn't look good, but it had clearly been made my first week on the job, so I just left it in place for over 10 years rather than risk looking like I was again monkeying with my history.

I hope and presume they had much better monitoring than scanning bash history, but I'm not bet-my-career confident of that.

[dijit]

> I hope and presume they had much better monitoring than scanning bash history, but I'm not bet-my-career confident of that.

bash has an "audit" function which is normally compiled out.

https://git.savannah.gnu.org/cgit/bash.git/tree/configure#n1...

When enabled it logs to syslog.

[mmh0000]

Enterprises that requires logging of user actions will very likely not being doing it at the shell level, either through compiled in options, or shell history.

Instead, the Kernel has built in functionality called Auditd[0], which is capable of logging any and all executions, file or socket accesses, and much more. Along with included tooling for quickly finding and alerting on events[3].

Further, if terminal logging or playback is really required (usually not), it's generally done through pam with tlog[1]. Red Hat 8 and above come with built-in tlog support[2].

[0] https://access.redhat.com/documentation/en-us/red_hat_enterp...

[1] https://github.com/Scribery/tlog/blob/main/README.md

[2] https://access.redhat.com/documentation/en-us/red_hat_enterp...

[3] https://wiki.archlinux.org/title/Audit_framework

[JetSpiegel]

It's simpler to use a tmpfs for this purpose. $XDG_RUNTIME_DIR is already available, on modern Linux versions.

[ttyprintk]

systemd-tmpfiles can be configured to delete a path upon ‘systemd-tmpfiles —-user clean’