I have a recently installed Ubuntu Karmic with standard packages. I enabled automatic security updates and manually updated every package once. I have the root account enabled. At ~1am GMT my .bash_history file for the root account has been truncated to zero. I think the PC may have crashed (no keyboard, mouse, etc, but still some HD activity) at around this time. The disk isn't full, but this is a fresh install, I do not have direct net access (NAT) and I have only visited a limited number of web sites.

Can anyone think of innocuous reasons this would happen?

No, searched your syslogs and auth records for any anomalies? Are there any ~/.bash* configuration files (say the ~/.bash_log* ones) that include a "cleanup" line?

There are no cleanup lines, and it doesn't seem like something they would make updating packages do.

Yet, it's so unlikely to have been hacked with such limited exposure to the net. And for someone who hacked it with that limited exposure to be clumsy enough to truncate the .bash_history instead of just disabling their session history? That also seems weird...

OK...

I'd rather deal with facts than the chance of something being "likely" or "unlikely". Does "env | grep HIST" show any HISTFILESIZE, HISTSIZE and HISTIGNORE environment variables perhaps?

Can you check /var/log/messages, dmesg to see if your system did in fact crash/reboot?

No history stuff. My bash history is once again collecting normally, it didn't stay a zero size file.

The only activity around that time is:

Feb 9 01:05:45 box kernel: Kernel logging (proc) stopped.
Feb 9 01:05:45 box rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="513" x-info="http://www.rsyslog.com"] exiting on signal 15.

It's about the time I stopped using the system. The history file was truncated at 1:05 am too. I can't remember if the system crashed or I shut it down (yesterday the OS was in a different box which is prone to crashing) but it does closely match the time I went to bed.