Security Basics mailing list archives

Re: bash_history

From: l0rd4gu1 <l0rd4gu1 () icontrol com mx>
Date: Fri, 8 Apr 2005 23:03:06 -0500

Hi Alex

Use readonly to define the variable & use chattr for files

/etc/profile:
.
.
readonly HISTFILE=......
.
.

Raul
--
Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win. -- 
Sun-Tzu

Alejandro Flores(alejandro.flores () triforsec com br)@2005.04.08 18:50:51 +0000:

Hey there,

I was googling about a way to protect the bash_history file from user
removal or UNSET the HISTFILE variable and all I found was papers about
disabling this file for security reasons. Weird! Why it's recommended to
disable this file, when it contains the history of typed commands from
all users? Ok, ok, you can tell me that users may have typed passwords
in a bash session to gain access to a mysql database for example. 
But, if you need to do some forensics in your compromised server, this
file is the first place to know what the 'malicious dude' did to gain
root privileges, the server where he downloaded his craps, etc...
I started 'chown'ing the .bash_profile and .bashrc files to root, and
removed the 'wx' from group and others. The user has only read
permission.
But I can't prevent him from changing the HISTFILE variable. Like:
export HISTFILE=/dev/null
With this command, all my steps from now aren't recorded.

Ideas?

Regards,
Alejandro Flores


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

Current thread:

bash_history Alejandro Flores (Apr 08)
- Re: bash_history Michael Gale (Apr 09)
- Re: bash_history l0rd4gu1 (Apr 09)
  - Re: bash_history tmpgl (Apr 11)
- Re: bash_history John R. Morris (Apr 09)
- Re: bash_history Johnny Mast (Apr 09)
- RE: bash_history Alexandre Skyrme (Apr 11)
  - RE: bash_history Nuno Costa (Apr 11)
    - RE: bash_history Alexander Klimov (Apr 12)
- Re: bash_history Igor Plisco (Apr 14)
- <Possible follow-ups>
- Re: bash_history Daniel Cid (Apr 09)
- RE: bash_history Simon Li (Apr 11)