Vulnerability Development mailing list archives

Re: History Files

From: krisw () SUPPORTTEAM NET (Senior Systems Administrator - Kris W.)
Date: Sun, 16 Apr 2000 17:07:51 -0500


I have my systems setup like this:

in /etc/profile,
USER=`id -un`
HISTFILE=/home/history/$USER.history
echo ------------------- `date` >> $HISTFILE

/home/history/$user.history is a file, with rwx access for the user and
group, and with append only attributes.

and

in /etc/bashrc:
chk=`id -un`
if [ "$chk" != "root" ]
then
alias unset='dono'
fi

where dono, is a simple shell script that just exits

and in the users .bash_logout, a script that echos the date again to the
histfile, so i have a good idea of when each user executed what, combined
with process accounting i can pretty much track anything.

kw

----- Original Message -----
From: "Michael Jennings" <mej () VALINUX COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, April 16, 2000 1:35 AM
Subject: Re: History Files

On Saturday, 15 April 2000, at 17:31:44 (-0700),
Corwin J. Grey wrote:

Actually there is a pretty good way that is so simple it's nearly

foolproof

(there are a one or two ways around it, but any program that spawns a

shell

will (if you limit all the shells to bash) launch bash which will write

session log on exit.

Force each user to use bash first of all, and don't allow them to change
shells.

 In your /root/history/$user_history create a file for the user (e.g.
/root/history/bob)

 mkdir /root/history
 chmod 0777 /root/history

 touch /root/history/bob
 ln -s /root/history/bob /home/bob/.bash_history
 chmod 0600 /root/history/bob
 chown bob.bob /root/history/bob
 chattr +au /root/history/bob

And happy logging :)


I don't suppose anyone realized that the user, having write
permissions to his/her own home directory, could simply remove the
soft link?  Or move it out of the way?

Michael

--
 "To live on as we have is to leave behind joy, and love, and
  companionship, because we know it to be transitory, of the moment.
  We know it will turn to ash."                -- Lorien, Babylon Five
=======================================================================
Michael Jennings  <mej () eterm org>  www.tcserv.com  PGP Key ID: BED09971
Software Engineer, VA Linux Systems       Author, Eterm (www.eterm.org)

Current thread:

Re: History Files, (continued)
- - - Re: History Files Gert-Jan Hagenaars (Apr 16)
    - Re: History Files Bluefish (Apr 17)
  - Re: History Files Michael Jennings (Apr 15)
    - Re: History Files Mark Rafn (Apr 16)
    - Alternative to historyfile logging. Joel Eriksson (Apr 17)
    - Re: History Files Joel Eriksson (Apr 17)
    - Re: History Files spiff (Apr 18)
    - Re: History Files Corwin J. Grey (Apr 16)
    - Re: History Files Michael Jennings (Apr 16)
    - Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
    - Re: History Files Senior Systems Administrator - Kris W. (Apr 16)
- Re: History Files chris () STRICTLY NOSUCKAZ NET (Apr 15)
  - quick dirty and most of all-easy process accounting via lkm Security Team (Apr 16)
  - Re: History Files George Dodd (Apr 18)
    - Re: History Files Perly (Apr 19)
    - Re: History Files joyce (Apr 19)
    - non-exec stack Lamagra Argamal (Apr 19)
    - Weakness of static addr & MySQL database Tompkins, William A (Apr 20)
    - Re: Weakness of static addr & MySQL database Jim Kinney (Apr 20)
- Re: History Files Dan Garcia (Apr 15)
  - Re: History Files Jeff Bachtel (Apr 15)

(Thread continues...)