RE: bash_history

[Nuno Costa <webcenter () sapo pt>]

if you just want to prevent the user from modify or delete entrys
from the bash_history file, and do not touch permissions and other
stuff, maybe is create backups in realtime from this files, in a root
dir, where the user cant touch it...

so if the user tries to modify or delete this file, you have in your
root dir, backups from this files, that was created in real time.


regards
Nuno Costa


Greetings,

Altering permissions on files that are inside a user's home
directory usually is not an appropriate solution to prevent the user
from
erasing his shell history. Tipically the user will have write
permission on
the directory itself (since it's his own home) and thus it'll be able
to
erase the file (even if the file is owned by root:root and has no
write
permission).

Altering the behavior of commands would probably be bad from a
functionality point of view.

The best (but probably not perfect) solution would be to define all
history related variables as readonly (like others stated) and use
chattr to
protect the history file itself. One must rebember though that are
other
variables than just HISTSIZE and HISTFILE (HISTCONTROL, HISTFILESIZE,
HISTIGNORE, etc).

Still there would probably be ways to bypass that (for example if
the user can change its own shell).

Regards,
--
Alexandre Skyrme
Cipher - Segurança da Informação
+55-21-2542-6677
www.ciphersec.com.br

Esta mensagem eletrônica pode conter informações privilegiadas
e/ou
confidenciais, portanto fica o seu receptor notificado de que
qualquer
disseminação, distribuição ou cópia não autorizada é
estritamente
proibida.
Se você recebeu esta mensagem indevidamente ou por engano, por
favor,
informe este fato ao remetente e a apague de seu computador
imediatamente.

This e-mail message may contain legally privileged and/or
confidential
information, therefore, the recipient is hereby notified that any
unauthorized dissemination, distribution or copying is strictly
prohibited.
If you have received this e-mail message inappropriately or
accidentally,
please notify the sender and delete it from your computer
immediately.

> -----Original Message-----
> From: Alejandro Flores [mailto:alejandro.flores () triforsec com br]
> Sent: sexta-feira, 8 de abril de 2005 18:51
> To: security-basics () securityfocus com
> Subject: bash_history
>
>
> Hey there,
>
> I was googling about a way to protect the bash_history file
> from user removal or UNSET the HISTFILE variable and all I
> found was papers about disabling this file for security
> reasons. Weird! Why it's recommended to disable this file,
> when it contains the history of typed commands from all
> users? Ok, ok, you can tell me that users may have typed
> passwords in a bash session to gain access to a mysql
> database for example.
> But, if you need to do some forensics in your compromised
> server, this file is the first place to know what the
> 'malicious dude' did to gain root privileges, the server
> where he downloaded his craps, etc... I started 'chown'ing
> the .bash_profile and .bashrc files to root, and removed the
> 'wx' from group and others. The user has only read
> permission. But I can't prevent him from changing the
> HISTFILE variable. Like: export HISTFILE=/dev/null With this
> command, all my steps from now aren't recorded.
>
> Ideas?
>
> Regards,
> Alejandro Flores
>
>
> --------------------------------------------------------------
> -------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified
> information security
> professionals. Norwich University is fulfilling this demand
> with its MS in
> Information Security offered online. Recognized by the NSA as an
> academically excellent program, NU offers you the opportunity
> to earn your
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information
security
professionals. Norwich University is fulfilling this demand with its
MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn
your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------





SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e 
adicionar amigos!
Vá agora a : http://messenger.sapo.pt/sms/


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------