Re: encrypt the bash history

[Emanuel dos Reis Rodrigues <emanueldosreis () gmail com>]

I agree with Peter, if  you control the root user ...  the bash history 
is the minnor problem ...


Emanuel dos Reis Rodrigues
Senior Level Linux Professional (LPIC-3) 
LPI 302 (Mixed Environment) Specialty
LPI 304 (Virtualization and High Availability) Specialty
C|EH Certified Ethical Hacker
CompTIA Security+ Certified
http://br.linkedin.com/in/emanuelreis
t:@emanueldosreis
emanueldosreis(No*SpAm)gmail.com
Mobile: +55 95 8112-9628








Peter Maxwell wrote:
> To be honest, none of these methods will actually be effective: root 
> can do what he/she likes, including monitoring *everything* you do. 
>  Worrying about shell history is not going to solve anything.
>
> Your only choices are to trust root, or setup your own host.
>
> Peter Maxwell
>
>
> On 6 February 2011 11:21, Zerial. <fernando () zerial org 
> <mailto:fernando () zerial org>> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>     On 02/04/11 16:36, Erik Falor wrote:
>     > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
>     >> -----BEGIN PGP SIGNED MESSAGE-----
>     >> Hash: SHA1
>     >>
>     >> On 02/04/11 16:13, Valdis.Kletnieks () vt edu
>     <mailto:Valdis.Kletnieks () vt edu> wrote:
>     >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
>     >>>> what is the best way to encrypt the bash_history file?
>     >>>> I try using crypt/decrypt with GPG when login/logout. It
>     works, but not
>     >>>> safe enough.
>     >>>
>     >>> Explain what the threat model is, and why GPG isn't safe
>     enough?  It's kind of
>     >>> hard to recommend "best" when we don't understand what the
>     criteria are...
>     >>>
>     >>
>     >> The "way" is not safe enough. root can login as me (su - user) and
>     >> bash_history will be decrypted. I try to find any better way to
>     crypt
>     >> and make unreadable the bash_history file from any other users,
>     >> including root.
>     >
>     > Not to mention the fact that your .bash_history file is unencrypted
>     > the entire time you're logged in.
>
>     This is the problem on my "way" to protect/crypt the bash_history.
>
>      A better alternative, if you're
>     > that anxious about your shell history falling into the wrong
>     hands, is
>     > to disable it entirely:
>     >
>     > unset HISTFILE
>     > HISTSIZE=0
>     >
>     > You can also tell bash to not record commands that begin with a
>     space:
>     > HISTCONTROL=ignorespace
>     >
>     > More fine-grained control can be achieved with the HISTIGNORE
>     > variable.  See the 'Shell Variables' section of the bash(1) manpage.
>     >
>     > Finally, I wrote these functions to toggle history recording on/off
>     > in a shell.  I like how this works, when I remember to run it
>     beforehand:
>     >
>     > # turn off history recording
>     > function offtherecord()
>     > {
>     >     if [[ -n "$HISTFILE" ]]; then
>     >         OLDHISTFILE=$HISTFILE
>     >         unset HISTFILE
>     >     fi
>     >     if [[ -n "$HISTSIZE" ]]; then
>     >         OLDHISTSIZE=$HISTSIZE
>     >         HISTSIZE=0
>     >     fi
>     > }
>     >
>     > # turn on history recording
>     > function ontherecord()
>     > {
>     >     if [[ -n "$OLDHISTFILE" ]]; then
>     >         HISTFILE=$OLDHISTFILE
>     >         unset OLDHISTFILE
>     >     fi
>     >     if [[ -n "$HISTSIZE" ]]; then
>     >         HISTSIZE=$OLDHISTSIZE
>     >         unset OLDHISTSIZE
>     >     fi
>     > }
>     >
>     > Once you've run offtherecord, you lose all of your history for
>     that shell until
>     > you log back in.
>     >
>
>     Nice tip, but this solution doesn't work for me. I don't wanna avoid
>     logging commands nor delete the bash history nor hide the commands. I
>     wanna "encrypt" the file. I don't wanna miss commands which I
>     executed.
>
>     Another solution may be copy and move the history file from the server
>     to the client, saving the bash_history on client side. But ...
>     this will
>     not work if I connect using client as putty.
>
>
>     thanks for the asnwer,
>
>
>
>     - --
>     Zerial
>     Seguridad Informatica
>     GNU/Linux User #382319
>     Blog: http://blog.zerial.org
>     Jabber: zerial () jabberes org <mailto:zerial () jabberes org>
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v1.4.11 (GNU/Linux)
>     Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>     iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
>     JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
>     =OVc7
>     -----END PGP SIGNATURE-----
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/