Security Basics mailing list archives
RE: bash_history
From: "Alexandre Skyrme" <alexandre.skyrme () ciphersec com br>
Date: Mon, 11 Apr 2005 09:58:16 -0300
Greetings, Altering permissions on files that are inside a user's home directory usually is not an appropriate solution to prevent the user from erasing his shell history. Tipically the user will have write permission on the directory itself (since it's his own home) and thus it'll be able to erase the file (even if the file is owned by root:root and has no write permission). Altering the behavior of commands would probably be bad from a functionality point of view. The best (but probably not perfect) solution would be to define all history related variables as readonly (like others stated) and use chattr to protect the history file itself. One must rebember though that are other variables than just HISTSIZE and HISTFILE (HISTCONTROL, HISTFILESIZE, HISTIGNORE, etc). Still there would probably be ways to bypass that (for example if the user can change its own shell). Regards, -- Alexandre Skyrme Cipher - Segurança da Informação +55-21-2542-6677 www.ciphersec.com.br Esta mensagem eletrônica pode conter informações privilegiadas e/ou confidenciais, portanto fica o seu receptor notificado de que qualquer disseminação, distribuição ou cópia não autorizada é estritamente proibida. Se você recebeu esta mensagem indevidamente ou por engano, por favor, informe este fato ao remetente e a apague de seu computador imediatamente. This e-mail message may contain legally privileged and/or confidential information, therefore, the recipient is hereby notified that any unauthorized dissemination, distribution or copying is strictly prohibited. If you have received this e-mail message inappropriately or accidentally, please notify the sender and delete it from your computer immediately.
-----Original Message----- From: Alejandro Flores [mailto:alejandro.flores () triforsec com br] Sent: sexta-feira, 8 de abril de 2005 18:51 To: security-basics () securityfocus com Subject: bash_history Hey there, I was googling about a way to protect the bash_history file from user removal or UNSET the HISTFILE variable and all I found was papers about disabling this file for security reasons. Weird! Why it's recommended to disable this file, when it contains the history of typed commands from all users? Ok, ok, you can tell me that users may have typed passwords in a bash session to gain access to a mysql database for example. But, if you need to do some forensics in your compromised server, this file is the first place to know what the 'malicious dude' did to gain root privileges, the server where he downloaded his craps, etc... I started 'chown'ing the .bash_profile and .bashrc files to root, and removed the 'wx' from group and others. The user has only read permission. But I can't prevent him from changing the HISTFILE variable. Like: export HISTFILE=/dev/null With this command, all my steps from now aren't recorded. Ideas? Regards, Alejandro Flores -------------------------------------------------------------- ------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- bash_history Alejandro Flores (Apr 08)
- Re: bash_history Michael Gale (Apr 09)
- Re: bash_history l0rd4gu1 (Apr 09)
- Re: bash_history tmpgl (Apr 11)
- Re: bash_history John R. Morris (Apr 09)
- Re: bash_history Johnny Mast (Apr 09)
- RE: bash_history Alexandre Skyrme (Apr 11)
- RE: bash_history Nuno Costa (Apr 11)
- RE: bash_history Alexander Klimov (Apr 12)
- RE: bash_history Nuno Costa (Apr 11)
- Re: bash_history Igor Plisco (Apr 14)
- <Possible follow-ups>
- Re: bash_history Daniel Cid (Apr 09)
- RE: bash_history Simon Li (Apr 11)