Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s.bash_historyfile. For each user, this file resides at the same location:~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
cat .bash_history | grep password > bash.txt
auditlogs (audit.rules)
bash_history logs
index=linux sourcetype="linux_audit" syscall=257 key=bash_history_changes | table host,auid,syscall,syscall_name,exe
index=linux sourcetype=bash_history cat bash_history | table _time,host,user_name,bash_command
Note: We need to add the rule for each users' bash_history file under their home location. Wildcard expression () is not accepted in the audit.rules so we can NOT create a rule that watches the path = /home//.bash_history