From bced37dca2b5f921035bf07cb76c11626937bae8 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Mon, 10 Nov 2025 22:08:52 -0500
Subject: [PATCH] Fix bash history cleaning in trace eraser script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The trace eraser was failing with "no previous regular expression" sed errors and wasn't effectively cleaning bash history.

Problems fixed:
• Broken sed pattern matching (caused errors, unreliable)
• Pattern-based deletion doesn't catch all toolkit usage
• In-memory history wasn't being cleared

New approach:
• Simply removes last 50 entries from bash history files
• More reliable than pattern matching (catches downloads, usage, everything)
• Clears in-memory history with history -c && history -w
• Creates .bak backup before cleaning
• Handles both root and user histories
• Changed system log cleaning from sed to grep -v (more reliable)
• Added symlink check for log files

This ensures the last 50 commands (covering toolkit download, installation, and usage) are completely removed from bash history.
---
 tools/erase-toolkit-traces.sh | 55 ++++++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 21 deletions(-)

diff --git a/tools/erase-toolkit-traces.sh b/tools/erase-toolkit-traces.sh
index ab32280..69fcbe2 100755
--- a/tools/erase-toolkit-traces.sh
+++ b/tools/erase-toolkit-traces.sh
@@ -55,18 +55,22 @@ if [ -f ~/.bash_history ]; then
     echo "→ Cleaning root bash history..."
     cp ~/.bash_history ~/.bash_history.bak
 
-    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" ~/.bash_history
-    done
+    # Remove last 50 lines from history file (covers toolkit download/usage)
+    total_lines=$(wc -l < ~/.bash_history)
+    if [ "$total_lines" -gt 50 ]; then
+        lines_to_keep=$((total_lines - 50))
+        head -n "$lines_to_keep" ~/.bash_history > ~/.bash_history.tmp
+        mv ~/.bash_history.tmp ~/.bash_history
+        echo "  ✓ Root history cleaned (removed last 50 entries)"
+    else
+        # If less than 50 lines, clear entire history
+        > ~/.bash_history
+        echo "  ✓ Root history cleared (file had < 50 entries)"
+    fi
 
-    # Also clean in-memory history
-    for pattern in "${PATTERNS[@]}"; do
-        history | grep -i "$pattern" | awk '{print $1}' | while read -r num; do
-            history -d "$num" 2>/dev/null
-        done
-    done
-
-    echo "  ✓ Root history cleaned"
+    # Clear in-memory history as well
+    history -c
+    history -w
 fi
 
 # Clean bash history for all users
@@ -76,25 +80,34 @@ for user_home in /home/*; do
         username=$(basename "$user_home")
         echo "  → Cleaning history for $username..."
 
-        for pattern in "${PATTERNS[@]}"; do
-            sed -i "/$pattern/d" "$user_home/.bash_history"
-        done
-
-        echo "    ✓ Cleaned"
+        # Remove last 50 lines from user history
+        total_lines=$(wc -l < "$user_home/.bash_history")
+        if [ "$total_lines" -gt 50 ]; then
+            lines_to_keep=$((total_lines - 50))
+            head -n "$lines_to_keep" "$user_home/.bash_history" > "$user_home/.bash_history.tmp"
+            mv "$user_home/.bash_history.tmp" "$user_home/.bash_history"
+            chown "$username:$username" "$user_home/.bash_history" 2>/dev/null
+            echo "    ✓ Cleaned (removed last 50 entries)"
+        else
+            > "$user_home/.bash_history"
+            chown "$username:$username" "$user_home/.bash_history" 2>/dev/null
+            echo "    ✓ Cleared (file had < 50 entries)"
+        fi
     fi
 done
 
-# Clean system logs
+# Clean system logs (pattern-based for logs, not history)
 echo "→ Cleaning system logs..."
 if [ -f /var/log/messages ]; then
     for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/messages 2>/dev/null
+        # Use grep -v instead of sed to avoid regex issues
+        grep -v "$pattern" /var/log/messages > /var/log/messages.tmp 2>/dev/null && mv /var/log/messages.tmp /var/log/messages || true
     done
 fi
 
 if [ -f /var/log/secure ]; then
     for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/secure 2>/dev/null
+        grep -v "$pattern" /var/log/secure > /var/log/secure.tmp 2>/dev/null && mv /var/log/secure.tmp /var/log/secure || true
     done
 fi
 
@@ -103,9 +116,9 @@ echo "  ✓ System logs cleaned"
 # Clean auth logs
 echo "→ Cleaning auth logs..."
 for log in /var/log/auth.log* /var/log/secure*; do
-    if [ -f "$log" ]; then
+    if [ -f "$log" ] && [ ! -L "$log" ]; then
         for pattern in "${PATTERNS[@]}"; do
-            sed -i "/$pattern/d" "$log" 2>/dev/null
+            grep -v "$pattern" "$log" > "${log}.tmp" 2>/dev/null && mv "${log}.tmp" "$log" || true
         done
     fi
 done