Full Disclosure mailing list archives
Re: encrypt the bash history
From: Emanuel dos Reis Rodrigues <emanueldosreis () gmail com>
Date: Sun, 06 Feb 2011 10:17:15 -0400
I agree with Peter, if you control the root user ... the bash history is the minnor problem ...
Emanuel dos Reis RodriguesSenior Level Linux Professional (LPIC-3) LPI 302 (Mixed Environment) Specialty
LPI 304 (Virtualization and High Availability) Specialty C|EH Certified Ethical Hacker CompTIA Security+ Certified http://br.linkedin.com/in/emanuelreis t:@emanueldosreis emanueldosreis(No*SpAm)gmail.com Mobile: +55 95 8112-9628 Peter Maxwell wrote:
To be honest, none of these methods will actually be effective: root can do what he/she likes, including monitoring *everything* you do. Worrying about shell history is not going to solve anything.Your only choices are to trust root, or setup your own host. Peter MaxwellOn 6 February 2011 11:21, Zerial. <fernando () zerial org <mailto:fernando () zerial org>> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/11 16:36, Erik Falor wrote: > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/04/11 16:13, Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu> wrote: >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said: >>>> what is the best way to encrypt the bash_history file? >>>> I try using crypt/decrypt with GPG when login/logout. It works, but not >>>> safe enough. >>> >>> Explain what the threat model is, and why GPG isn't safe enough? It's kind of >>> hard to recommend "best" when we don't understand what the criteria are... >>> >> >> The "way" is not safe enough. root can login as me (su - user) and >> bash_history will be decrypted. I try to find any better way to crypt >> and make unreadable the bash_history file from any other users, >> including root. > > Not to mention the fact that your .bash_history file is unencrypted > the entire time you're logged in. This is the problem on my "way" to protect/crypt the bash_history. A better alternative, if you're > that anxious about your shell history falling into the wrong hands, is > to disable it entirely: > > unset HISTFILE > HISTSIZE=0 > > You can also tell bash to not record commands that begin with a space: > HISTCONTROL=ignorespace > > More fine-grained control can be achieved with the HISTIGNORE > variable. See the 'Shell Variables' section of the bash(1) manpage. > > Finally, I wrote these functions to toggle history recording on/off > in a shell. I like how this works, when I remember to run it beforehand: > > # turn off history recording > function offtherecord() > { > if [[ -n "$HISTFILE" ]]; then > OLDHISTFILE=$HISTFILE > unset HISTFILE > fi > if [[ -n "$HISTSIZE" ]]; then > OLDHISTSIZE=$HISTSIZE > HISTSIZE=0 > fi > } > > # turn on history recording > function ontherecord() > { > if [[ -n "$OLDHISTFILE" ]]; then > HISTFILE=$OLDHISTFILE > unset OLDHISTFILE > fi > if [[ -n "$HISTSIZE" ]]; then > HISTSIZE=$OLDHISTSIZE > unset OLDHISTSIZE > fi > } > > Once you've run offtherecord, you lose all of your history for that shell until > you log back in. > Nice tip, but this solution doesn't work for me. I don't wanna avoid logging commands nor delete the bash history nor hide the commands. I wanna "encrypt" the file. I don't wanna miss commands which I executed. Another solution may be copy and move the history file from the server to the client, saving the bash_history on client side. But ... this will not work if I connect using client as putty. thanks for the asnwer, - -- Zerial Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Jabber: zerial () jabberes org <mailto:zerial () jabberes org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8 JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk =OVc7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Erik Falor (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 06)
- Re: encrypt the bash history Rodrigo Rubira Branco (BSDaemon) (Feb 06)
- Re: encrypt the bash history Peter Maxwell (Feb 06)
- Re: encrypt the bash history Emanuel dos Reis Rodrigues (Feb 06)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- <Possible follow-ups>
- Re: encrypt the bash history Zach C. (Feb 06)
- Re: encrypt the bash history Cal Leeming [Simplicity Media Ltd] (Feb 06)
- Re: encrypt the bash history Champ Clark III [Softwink] (Feb 08)