Security Basics mailing list archives
Re: bash_history
From: "John R. Morris" <jrmorris () nerdality com>
Date: Sat, 09 Apr 2005 03:51:22 -0400
Alejandro Flores wrote:
I don't particularly agree with forcing users to not have a shell history for security reasons, as long as they are aware of it, and it's not made easy (i.e., not world readable) for others to peruse. Systems with higher security requirements might be a different story. In general, my preference is to avoid passwords on the commandline. Most programs (MySQL as a case in point) will prompt you if you prefer that to typing the password as part of the arguments passed.Hey there, I was googling about a way to protect the bash_history file from user removal or UNSET the HISTFILE variable and all I found was papers about disabling this file for security reasons. Weird! Why it's recommended to disable this file, when it contains the history of typed commands from all users? Ok, ok, you can tell me that users may have typed passwordsin a bash session to gain access to a mysql database for example. But, if you need to do some forensics in your compromised server, thisfile is the first place to know what the 'malicious dude' did to gain root privileges, the server where he downloaded his craps, etc... I started 'chown'ing the .bash_profile and .bashrc files to root, and removed the 'wx' from group and others. The user has only read permission.
However, the purpose of a history file is for finding recent commands, etc. Not as an audit trail. For most purposes, you can look to sudo for auditing commands run as root. You'll have to work to setup an allowed list of commands (versus allowing them to run any command via sudo) to prevent them from simply spawning a new root shell, or if you disallow the system shells, compiling/copying and running that shell... Worth the effort. It sounds like you really want to audit/capture commands run as non-privileged users. The quickest way to do that reliably is in the OS kernel. Anything else, such as a modified shell, can be circumvented and requires additional effort on your part to counter those possibilities. Here's a decent one for Linux, there are quite a few for most OSes out there.
THC-VLOGGER Linux -- http://www.thc.org/
But I can't prevent him from changing the HISTFILE variable. Like: export HISTFILE=/dev/null With this command, all my steps from now aren't recorded. Ideas? Regards, Alejandro Flores --------------------------------------------------------------------------- Earn your MS in Information Security ONLINEOrganizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life.http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
- John --------------------------------------------------------------------------- Earn your MS in Information Security ONLINEOrganizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- bash_history Alejandro Flores (Apr 08)
- Re: bash_history Michael Gale (Apr 09)
- Re: bash_history l0rd4gu1 (Apr 09)
- Re: bash_history tmpgl (Apr 11)
- Re: bash_history John R. Morris (Apr 09)
- Re: bash_history Johnny Mast (Apr 09)
- RE: bash_history Alexandre Skyrme (Apr 11)
- RE: bash_history Nuno Costa (Apr 11)
- RE: bash_history Alexander Klimov (Apr 12)
- RE: bash_history Nuno Costa (Apr 11)
- Re: bash_history Igor Plisco (Apr 14)
- <Possible follow-ups>
- Re: bash_history Daniel Cid (Apr 09)
- RE: bash_history Simon Li (Apr 11)