PaulDotCom mailing list archives
Archiving History files
From: doj at primeinfosec.com (Dave Ockwell-Jenner)
Date: Tue, 19 Jan 2010 10:46:55 -0500
Monkey Daemon wrote:
Hi, I've just discovered a system on which one of our darling users has decided adding a script to his .bash_logout file that removes .bash_history on logout is a clever thing to do. Is there a way to take a copy of the .bash_history file before it is deleted? This user obviously has something to hide as far as I'm concerned, so I need to archive this file to present it as evidence.
How about compiling a custom version of bash that writes the history file out to an alternate location? I have used that technique in the past for a similar situation and it was quite effective. There is little chance someone would suspect a 'trojaned' shell, typically. Cheers, Dave.
Current thread:
- Archiving History files Monkey Daemon (Jan 19)
- Archiving History files Robin Wood (Jan 19)
- Archiving History files Tim Krabec (Jan 19)
- Archiving History files Matt Erasmus (Jan 19)
- Archiving History files Carlos Perez (Jan 19)
- Archiving History files Robin Wood (Jan 19)
- Archiving History files Nick Baronian (Jan 19)
- Archiving History files Tim Krabec (Jan 19)
- Archiving History files Dave Ockwell-Jenner (Jan 19)
- Archiving History files Michael McGrew (Jan 19)
- <Possible follow-ups>
- Archiving History files genesiswave at gmail.com (Jan 19)