Vulnerability Development mailing list archives
Re: History Files
From: tech () SPACE2U COM (Tomas Westin)
Date: Sun, 16 Apr 2000 02:26:30 +0200
Hello, Yes, I am fully aware of that. It is clearly stated in the README file that there are tons of ways to circumvent this type of logging. This patch was intended as a sort of a "middle road" between the even worse concept of .bash_history files and total kernel level logging of syscalls etc. The logging type that this patch provides isn't especially noticeable in performance view and is meant to catch the average user that doesn't know or suspects that a patch like this is in use on a system, they won't try to circumvent anything like if they don't know it's there, they'll just go for export HISTFILE=. And if they know it's there(and since .bash_history files are still written as usual probably not many will suspect something like this to be in use) it's much more likely that they choose another system to run whatever "suspicious" commands they want to run, if it's ping -s 4000 <dialup-host-of-some-ircer> or the latest exploit from bugtraq that they plan to run against a number of targets from the shell they for some reason have on your system. If they are the only one logged on at the time, then fine, it doesn't take too much brain loops to figure out what user you should delete. But if there where say 5-6 users logged on at the time and no traces in the .bash_history files since the abuser ran export HISTFILE=, then this patch gives you a larger oppertunity to lookup what user to delete. So to sum up, it gives you better monitoring possibilites of your users than using .bash_history files but is far from perfect, which as I said previously is clearly stated in the README file. And FYI the BOFH name is not meant especially serious, but taken because this patch does invade a users "privacy" quite a bit(depeding on your moral judgement), the patch as you can see is really small, just a few lines of code, so it could easily be adopted to any other shell if one wants to. regards Tomas On Sat, 15 Apr 2000, Rodrick Brown <System Administrator> wrote:
if you want a log of your users' activities, you need to log syscalls, not "commands" when your bashbofhlog shows "perl -wfoobar", the user can be doing anything he wants. What do you do about users running csh zsh etc.. ?? Just my 2 Cents =) If you want to be a real bofh check out ttysnoop => . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (0~0) Rodrick Brown (CCNA) Systems/Network Administrator . . --ooO-(_)-Ooo- rodrick () yrd com Yard Productions www.yrd.com . . 212 West 35th St 7th AVE 212 244-5540 Real Time VideoBroadCasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . On Sat, 15 Apr 2000, Crispin Cowan wrote:audit wrote:I admin a few Linux servers and have a question about user's .bash_history files. The users on the systems keep their history files but I would like to have what they type logged to /root/history/$user_history I know that this is not polite on my end or the other co-admin's but we need to know what our users are doing at all times. These are slackware boxes and some RedHat boxes.You could achieve that effect by sym linking or hard linking $HOME/.bash_history to /root/history/$user_history. Yes, that will be problematic because a user that wants to hide what they're doing will delete the link. However, this just highlights the problem that a user that wants to hide what they're doing will run a modified shell. At best, you will have the security of tracking the actions of your naive users. Especially cleaver users intent on hiding will name their modified shell "vi" or "rn" :-) Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- History Files audit (Apr 15)
- Re: History Files Tomas Westin (Apr 15)
- Re: History Files gavina () CSIS GVSU EDU (Apr 15)
- Re: History Files Dino Dai Zovi (Apr 15)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Rodrick Brown <System Administrator> (Apr 15)
- Re: History Files Tomas Westin (Apr 15)
- Re: History Files Blue Boar (Apr 15)
- Re: History Files audit (Apr 15)
- Re: History Files Blue Boar (Apr 15)
- Re: History Files Carson Gaspar (Apr 15)
- limited functionality accounts (was: Re: History Files) Marc Slemko (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Seth R Arnold (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Einar Indridason (Apr 26)
- Controlling a program's resource usage on Unix Bernie Cosell (Apr 16)
- Re: Controlling a program's resource usage on Unix Seth R Arnold (Apr 16)
- Re: Controlling a program's resource usage on Unix Isaac (Apr 21)
- Re: History Files Rodrick Brown <System Administrator> (Apr 15)