Vulnerability Development mailing list archives
Re: History Files
From: ghandi () MINDLESS COM (Dino Dai Zovi)
Date: Sat, 15 Apr 2000 17:32:28 -0600
I went through a similiar discussion with an associate of mine (how to monitor user's commands) a while back. Designing a security system around history files is basically futile. For example, you could hack bash to write a history line to the user's .history file and /var/log/history/<username>. The user would still have to have write permission to that file, so it couldn't be trusted. You could use *BSD secure levels and change the flags on that file to append-only, which would improve things a bit. But, then what happens if a user likes tcsh? Modify that one too... and so on until every shell on the system has been modified to use this system. It works until a user gets the idea to write a quick C program to exec() whatever they want, thereby bypassing the history logging again. Solution: use process accounting. It's in the kernel, and if user's are getting past that, you've got bigger problems. You won't get the prettiness of the history files, but those can be coded pretty easily. And you'll still have the user's .bash_history file (as untrusted as it is) to glance over and compare with the accounting records. -Dino --------------------------------------------------------------------- Dino A. Dai Zovi "The world grasps after systems, ghandi () mindless com and is imprisoned in dogmas." http://www.ghandi.cx -Buddha --------------------------------------------------------------------- On Sat, 15 Apr 2000, audit wrote:
Greeting's, I admin a few Linux servers and have a question about user's .bash_history files. The users on the systems keep their history files but I would like to have what they type logged to /root/history/$user_history I know that this is not polite on my end or the other co-admin's but we need to know what our users are doing at all times. These are slackware boxes and some RedHat boxes. Thanks
Current thread:
- History Files audit (Apr 15)
- Re: History Files Tomas Westin (Apr 15)
- Re: History Files gavina () CSIS GVSU EDU (Apr 15)
- Re: History Files Dino Dai Zovi (Apr 15)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Rodrick Brown <System Administrator> (Apr 15)
- Re: History Files Tomas Westin (Apr 15)
- Re: History Files Blue Boar (Apr 15)
- Re: History Files audit (Apr 15)
- Re: History Files Blue Boar (Apr 15)
- Re: History Files Carson Gaspar (Apr 15)
- limited functionality accounts (was: Re: History Files) Marc Slemko (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Seth R Arnold (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Einar Indridason (Apr 26)
- Re: History Files Rodrick Brown <System Administrator> (Apr 15)