Re: bash_history to track users

["Lothar Kimmeringer" <bugtraq () kimmeringer de>]

On Thu, 6 Nov 2003 00:44:08 -0500, Joe Szilagyi wrote:

> Is there any way to totally keep track of users, to the degree of adding
> timestamps and hostnames to each entry in the server's .bash_history files?

bash_history is quite the wrong place for these kind of things,
because you only need to take e.g. ksh to avoid logging or
bring your own shell with you to have real control as a user.

> I want history
> to show like, this, and same from other people logging in...
>
> 114 barney.gumble.com passwd marge
> 115 barney.gumble.com adduser moe
> 116 65.23.18.95 cd /etc/conf/httpd
> 117 65.23.18.95 vi httpd.conf
> 118 barney.gumble.com pico .bachrc

Simple question: Why do you want to do this? If there was
somebody who was able to hack your system he will hack your
history-files as well, so most likely you will not be able
to find something out this way.

Read some resources about intrusion detection, I'm sure
there will be some hints helping you hardening your system.


Regards, Lothar

BTW: In Germany this kind of thing you're planning might be
     against the law.

-- 
Lothar Kimmeringer                E-Mail: mailbody () kimmeringer de
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------