Atuin vs audit¶
Atuin is a great personal shell-history tool. It is not a server audit log. This page exists to make that distinction explicit, because the question "can I use Atuin to see what users on my server did?" comes up regularly.
Why Atuin is not an audit log¶
Atuin is user-space convenience data. Each shell user owns their own
Atuin database (~/.local/share/atuin/history.db) and config
(~/.config/atuin/config.toml). They can:
- Disable history capture entirely (
AUTO_SYNC=false,update_check = false, comment out the shell hook). - Filter commands out of history (
history_filterandcwd_filterinconfig.toml— this repo's ownatuin/config.tomlexcludes secret-prone paths like~/.ssh/). - Delete entries (
atuin search --delete). - Edit the SQLite DB directly with
sqlite3. - Not install Atuin in the first place — bash / zsh built-in history works without it.
If sync is enabled, Atuin uploads end-to-end encrypted history to the sync server. The server operator should not be able to inspect users' command history because the encryption key never leaves the user's machine. That's a privacy feature, but it also means the sync server cannot serve as an audit oracle either.
A privileged administrator on the local machine can read other users' shell history files and Atuin databases — but that just gives you what the user chose to record. It is not tamper-resistant evidence of what they actually ran.
Traditional shell history is even less reliable¶
If Atuin isn't trustworthy, plain ~/.bash_history / ~/.zsh_history is
worse. Users can:
- Change
HISTFILE(HISTFILE=/dev/null). - Disable persistence (
set +o history,unset HISTFILE). - Filter (
HISTIGNORE='*secret*',HISTCONTROL=ignorespace). - Skip saving via leading-space prefix (with
ignorespace). history -d <n>to delete specific entries.history -c && exitto wipe in-memory before write.- Edit the file with
vimbetween sessions.
History files can also be incomplete by accident: multi-session race conditions, delayed flush on shell exit, file truncation on disk-full, NFS-related corruption. None of this is malicious — it just means "the command isn't in the history file" doesn't prove "the command wasn't run."
This repo's docs/shells/history.md documents
the bash/zsh/atuin history layering in this dotfiles repo specifically;
that page is the right starting point if you want to understand the
history stack, not audit it.
What you should use instead¶
| Question | Right tool | Where to read |
|---|---|---|
| "Who logged in?" | last, journal, auth.log/secure |
Sessions and login |
| "Who used sudo?" | journalctl _COMM=sudo, sudoreplay |
sudo auditing |
"Did anyone run <binary>?" |
lastcomm, auditd execve rules |
Process accounting / auditd |
"Was <file> modified?" |
auditd watch rules | auditd |
| "What did the root shell run?" | auditd execve rules, sudoreplay | auditd / sudo auditing |
| "Compliance / forensics" | auditd + remote log shipping + EDR | (out of scope) |
| "My own command recall" | atuin | tools/atuin.md |
Full comparison table¶
| Source | What it can answer | Reliability for audit | Notes |
|---|---|---|---|
~/.bash_history, ~/.zsh_history |
Some commands typed in an interactive shell | Low | User-controlled, incomplete, easy to disable or edit |
| Atuin local DB | User's Atuin-captured shell history with metadata | Low for audit; medium for personal recall | Better search/context than plain history, but still user-space and not tamper-proof |
| Atuin sync server | Encrypted sync blobs | Not useful for command inspection | Server operator should not see plaintext history (E2E encrypted) |
last / lastlog / who |
Login session boundaries | High for sessions | Tells you sessions, not commands |
| sudo logs (journal / auth.log / secure) | Who ran sudo and what top-level command was invoked | Medium | Does not capture commands inside a root shell |
sudoreplay (when configured) |
Full TTY recording of sudo sessions | High for what was typed/seen | Disk-heavy; captures any password typed at TTY |
acct / psacct / lastcomm |
Process execution summary | Medium | Coarse-grained, no full argv, must be enabled |
auditd |
Policy-driven kernel audit events | High if preconfigured correctly | Best standard Linux answer for audit/compliance |
| EDR / eBPF / SIEM agents (Falco, Tetragon, Sysdig, Wazuh, vendor) | Centralized security telemetry across a fleet | High, depends on product/config | Better for fleet-scale; outside dotfiles scope |
| Offsite log forwarder (audit-remote, syslog-ng → write-once store) | Tamper-resistant chain of custody | High if storage is genuinely write-once | Required for forensic-grade evidence |
TL;DR¶
Atuin is for you to find your commands faster. It is not a surveillance tool, not an audit log, and not an evidence source. If you need any of those, configure auditd (or an EDR) before the incident, and ship logs off-host read-only.
For the full audit-source tour, start at the section README.