[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] Quick off topic question



In bash, shell history can be disabled with the command:

unset HISTFILE

It wasn't intended to be and isn't suitable for any form of security tracking.  Not to mention that at any point the intruder could manually execute a non-interactive shell which wouldn't log either.

I'd really recommend the auditing infrastructure.

On Jan 10, 2007, at 1:59 PM, Bryn M. Reeves wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kit Gerrits wrote:
Keep in mind, that Bash does some interesting tricks with its bash_history.
(like maintaining a single history per session and fusing them afterwards).

It might be a good idea to mail&wipe the .bash_history file upon logout.


If you want to use the .bash_history file for autiding:
Some O/S'es / filesystems allow write-only access to files.
This would make sure the user cannot 'edit' the file to remove any traces.
(This is usually limited to /var/log, so I don't know if it can be applied
to a single file)


Ext3 allows something close to this. Using its extended attributes you
can mark a file as append only (chattr +a <file>). Only the root account
can add/remove this attr.

It doesn't seem to play to well when the history fills up though - if I
set HISTFILESIZE and HISTSIZE both to 10, after 10 history items have
accumulated it ceases to record anything.

I don't think trying to use the shell history as a security audit is
really going to fly.

Kind regards,

Bryn.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFpUWg6YSQoMYUY94RAodyAJwPqvhL6kjsuNtk+41fjCTTm42WCQCfePBG
Ej02a3O1mY8reqbN/8KqRDM=
=mSYq
-----END PGP SIGNATURE-----

--
Linux-cluster mailing list



-- 
Jayson Vantuyl
Systems Architect
Engine Yard



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]