Re: History Files

[tech () SPACE2U COM (Tomas Westin)]

Hello,

Yes, I am fully aware of that. It is clearly stated in the README file
that there are tons of ways to circumvent this type of logging. This patch
was intended as a sort of a "middle road" between the even worse concept
of .bash_history files and total kernel level logging of syscalls
etc. The logging type that this patch provides isn't especially noticeable
in performance view and is meant to catch the average user that doesn't
know or suspects that a patch like this is in use on a system, they won't
try to circumvent anything like if they don't know it's there, they'll
just go for export HISTFILE=. And if they know it's there(and since
.bash_history files are still written as usual probably not many will
suspect something like this to be in use) it's much more
likely that they choose another system to run whatever
"suspicious" commands they want to run, if it's ping -s 4000
<dialup-host-of-some-ircer> or the latest exploit from bugtraq that they
plan to run against a number of targets from the shell they for some
reason have on your system. If they are the only one logged on at the
time, then fine, it doesn't take too much brain loops to figure out what
user you should delete. But if there where say 5-6 users logged on at the
time and no traces in the .bash_history files since the abuser ran export
HISTFILE=, then this patch gives you a larger oppertunity to lookup what
user to delete. So to sum up, it gives you better monitoring possibilites
of your users than using .bash_history files but is far from perfect,
which as I said previously is clearly stated in the README file. And FYI
the BOFH name is not meant especially serious, but taken because this
patch does invade a users "privacy" quite a bit(depeding on your moral
judgement), the patch as you can see is really small, just a few lines of
code, so it could easily be adopted to any other shell if one wants to.

regards Tomas

On Sat, 15 Apr 2000, Rodrick Brown <System Administrator> wrote:

> if you want a log of your users' activities, you need to log syscalls, not
> "commands"
>
> when your bashbofhlog shows "perl -wfoobar", the user can be doing
> anything he wants.
> What do you do about users running csh zsh etc.. ??
>
> Just my 2 Cents =)
> If you want to be a real bofh check out ttysnoop =>
>
>   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
>   .      (0~0)   Rodrick Brown (CCNA) Systems/Network Administrator   .
>   . --ooO-(_)-Ooo- rodrick () yrd com    Yard Productions www.yrd.com    .
>   . 212 West 35th St 7th AVE 212 244-5540 Real Time VideoBroadCasting .
>   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
>
>
> On Sat, 15 Apr 2000, Crispin Cowan wrote:
>
> > audit wrote:
> >
> > > I admin a few Linux servers and have a question about user's .bash_history
> > > files. The users on the systems keep their history files but I would like
> > > to have what they type logged to /root/history/$user_history
> > > I know that this is not polite on my end or the other co-admin's but we
> > > need to know what our users are doing at all times. These are slackware
> > > boxes and some RedHat boxes.
> >
> > You could achieve that effect by sym linking or hard linking
> > $HOME/.bash_history to /root/history/$user_history.  Yes, that will be
> > problematic because a user that wants to hide what they're doing will delete
> > the link.  However, this just highlights the problem that a user that wants
> > to hide what they're doing will run a modified shell.  At best, you will have
> > the security of tracking the actions of your naive users.  Especially cleaver
> > users intent on hiding will name their modified shell "vi" or "rn" :-)
> >
> > Crispin
> > -----
> > Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
> > Free Hardened Linux Distribution:                 http://immunix.org
> >                   JOBS!  http://immunix.org/jobs.html