Re: History Files

[ghandi () MINDLESS COM (Dino Dai Zovi)]

I went through a similiar discussion with an associate of mine (how to
monitor user's commands) a while back.  Designing a security system around
history files is basically futile.

For example, you could hack bash to write a history line to the user's
.history file and /var/log/history/<username>.  The user would still have
to have write permission to that file, so it couldn't be trusted.  You
could use *BSD secure levels and change the flags on that file to
append-only, which would improve things a bit.  But, then what happens if
a user likes tcsh?  Modify that one too... and so on until every shell on
the system has been modified to use this system.  It works until a user
gets the idea to write a quick C program to exec() whatever they want,
thereby bypassing the history logging again.

Solution: use process accounting.  It's in the kernel, and if user's are
getting past that, you've got bigger problems.  You won't get the
prettiness of the history files, but those can be coded pretty
easily.  And you'll still have the user's .bash_history file (as untrusted
as it is) to glance over and compare with the accounting records.
-Dino

---------------------------------------------------------------------
Dino A. Dai Zovi                     "The world grasps after systems,
ghandi () mindless com                   and is imprisoned in dogmas."
http://www.ghandi.cx                  -Buddha
---------------------------------------------------------------------

On Sat, 15 Apr 2000, audit wrote:

> Greeting's,
>
> I admin a few Linux servers and have a question about user's .bash_history
> files. The users on the systems keep their history files but I would like
> to have what they type logged to /root/history/$user_history
> I know that this is not polite on my end or the other co-admin's but we
> need to know what our users are doing at all times. These are slackware
> boxes and some RedHat boxes.
>
> Thanks