RE: bash_history

["Simon Li" <simon.li () themachineroom co uk>]

> Alejandro Flores wrote:
>
> > Hey there,
> >
> > I was googling about a way to protect the bash_history file 
> from user 
> > removal or UNSET the HISTFILE variable and all I found was 
> papers about 
> > disabling this file for security reasons. Weird! Why it's 
> recommended 
> > to disable this file, when it contains the history of typed commands 
> > from all users? Ok, ok, you can tell me that users may have typed 
> > passwords in a bash session to gain access to a mysql 
> database for example.
> > But, if you need to do some forensics in your compromised 
> server, this 
> > file is the first place to know what the 'malicious dude' 
> did to gain 
> > root privileges, the server where he downloaded his craps, etc...
> > I started 'chown'ing the .bash_profile and .bashrc files to 
> root, and 
> > removed the 'wx' from group and others. The user has only read 
> > permission.
> >  
> I don't particularly agree with forcing users to not have a 
> shell history for security reasons, as long as they are aware 
> of it, and it's not made easy (i.e., not world readable) for 
> others to peruse. Systems with higher security requirements 
> might be a different story. In general, my preference is to 
> avoid passwords on the commandline. Most programs (MySQL as a 
> case in point) will prompt you if you prefer that to typing 
> the password as part of the arguments passed.
>
> However, the purpose of a history file is for finding recent 
> commands, etc. Not as an audit trail.
> For most purposes, you can look to sudo for auditing commands 
> run as root. You'll have to work to setup an allowed list of 
> commands (versus allowing them to run any command via sudo) 
> to prevent them from simply spawning a new root shell, or if 
> you disallow the system shells, compiling/copying and running 
> that shell... Worth the effort. It sounds like you really 
> want to audit/capture commands run as non-privileged users.
> The quickest way to do that reliably is in the OS kernel. 
> Anything else, such as a modified shell, can be circumvented 
> and requires additional effort on your part to counter those 
> possibilities.
> Here's a decent one for Linux, there are quite a few for most 
> OSes out there.
> THC-VLOGGER Linux -- http://www.thc.org/

Linux (not sure about other OSs) has a psacct package which does
rudimentary logging of all programs run (including any programs run in a
fork). It doesn't seem to store command arguments though.




This e-mail message (including its attachments) is private, is intended for the recipient named in it and may contain 
material which is confidential and privileged. 
No-one other than the named recipient may read, copy, rely on, redirect, save or alter the message or any part of it or 
any attachment to it in any way. 
VMS does not accept legal responsibility for the contents of this message.
Any views or opinions presented are solely those of the author and do not represent those of VMS unless otherwise 
specifically stated. 
While reasonable effort has been made to ensure this message is free of viruses, opening and using this message is at 
the risk of the recipient.


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------