PaulDotCom mailing list archives

Archiving History files

From: mmcgrew1 at mail.csuchico.edu (Michael McGrew)
Date: Tue, 19 Jan 2010 12:27:15 -0800

This looks like a nifty solution.

http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/

On Tue, Jan 19, 2010 at 7:46 AM, Dave Ockwell-Jenner
<doj at primeinfosec.com>wrote:

Monkey Daemon wrote:

Hi,

I've just discovered a system on which one of our darling users has
decided adding a script to his .bash_logout file that removes
.bash_history on logout is a clever thing to do.

Is there a way to take a copy of the .bash_history file before it is
deleted? This user obviously has something to hide as far as I'm
concerned, so I need to archive this file to present it as evidence.

How about compiling a custom version of bash that writes the history
file out to an alternate location? I have used that technique in the
past for a similar situation and it was quite effective. There is little
chance someone would suspect a 'trojaned' shell, typically.

Cheers,
Dave.
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100119/d12b5090/attachment.htm

Current thread:

Archiving History files Monkey Daemon (Jan 19)
- Archiving History files Robin Wood (Jan 19)
- Archiving History files Tim Krabec (Jan 19)
- Archiving History files Matt Erasmus (Jan 19)
- Archiving History files Carlos Perez (Jan 19)
  - Archiving History files Robin Wood (Jan 19)
- Archiving History files Nick Baronian (Jan 19)
  - Archiving History files Tim Krabec (Jan 19)
- Archiving History files Dave Ockwell-Jenner (Jan 19)
  - Archiving History files Michael McGrew (Jan 19)
- <Possible follow-ups>
- Archiving History files genesiswave at gmail.com (Jan 19)