Vulnerability Development mailing list archives
Re: History Files
From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Sat, 15 Apr 2000 16:45:59 -0700
Hello Audit :) * audit <audit () RADIUSNET NET> [000415 16:06]:
I admin a few Linux servers and have a question about user's .bash_history files. The users on the systems keep their history files but I would like to have what they type logged to /root/history/$user_history I know that this is not polite on my end or the other co-admin's but we need to know what our users are doing at all times. These are slackware boxes and some RedHat boxes.
I am not sure this is quite what you are after. I admit, if your users are naive, this ought to work nicely, but I can think of *many* ways around the logging. Here is one: $ vi ./harmless_file [Make the file something like: #!/bin/sh rm -rf / While editing the file, save it and do :!chmod 500 ./harmless_file and :!./harmless_file] They just executed a command without you seeing it. Also, the only way a user could write to those files is if the file is writable for that user. Which means they could just as easily perform the following: $ echo "" > /root/history/$user_history This leaves a big gaping hole. Maybe your users would selectively delete their commands, without the hole being so obvious. (Unless ext2fs supports an "append-only" attribute flag, but I have no idea about this. :) However, all is not lost -- look into running process accounting. I myself haven't tried this, so I don't know its capabilities, but I assume you can find out how much time your users spend running which programs. It requires compiling your kernel with the process accounting feature turned on, as well as a userland program. I don't know about any userland programs to do the work, and my kernel's help system doesn't mention where to find one. Google or freshmeat.net might have some good suggestions.:) If recompiling is not available to you, perhaps you could manually get information out of the /proc/<pid> directories. (I think our friends at l0pht wrote a tool (tmpwatcher?) to tell when new files/directories are added to a specified directory, I bet you could use that easily with a shell script to get information on processes people are running..) Either the process accounting or the /proc/ watching should be good enough for most people's level of security. I bet the append-only attribute flags, if such a thing exists, would be more than enough for most people's security needs. Of course, you need to evaluate your security needs and compare the options available for which is best for you.:) I hope this helps. :) -- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help
Current thread:
- Re: Controlling a program's resource usage on Unix, (continued)
- Re: Controlling a program's resource usage on Unix Crispin Cowan (Apr 16)
- Re: Controlling a program's resource usage on Unix Matej Kovac (Apr 17)
- Re: Controlling a program's resource usage on Unix Pavel Kankovsky (Apr 18)
- Re: History Files David Taylor (Apr 16)
- Re: History Files Boris Sagadin (Apr 17)
- Fwd: RAZOR Analysis of dvwssr.dll Blue Boar (Apr 17)
- Re: History Files iconoclast (Apr 18)
- Re: History Files Bluefish (Apr 19)
- Re: History Files Dragos Ruiu (Apr 15)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Gert-Jan Hagenaars (Apr 16)
- Re: History Files Bluefish (Apr 17)
- Re: History Files Mark Rafn (Apr 16)
- Alternative to historyfile logging. Joel Eriksson (Apr 17)