[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] Quick off topic question

In bash, shell history can be disabled with the command:


It wasn't intended to be and isn't suitable for any form of security tracking.  Not to mention that at any point the intruder could manually execute a non-interactive shell which wouldn't log either.

I'd really recommend the auditing infrastructure.

On Jan 10, 2007, at 1:59 PM, Bryn M. Reeves wrote:

Hash: SHA1

Kit Gerrits wrote:
Keep in mind, that Bash does some interesting tricks with its bash_history.
(like maintaining a single history per session and fusing them afterwards).

It might be a good idea to mail&wipe the .bash_history file upon logout.

If you want to use the .bash_history file for autiding:
Some O/S'es / filesystems allow write-only access to files.
This would make sure the user cannot 'edit' the file to remove any traces.
(This is usually limited to /var/log, so I don't know if it can be applied
to a single file)

Ext3 allows something close to this. Using its extended attributes you
can mark a file as append only (chattr +a <file>). Only the root account
can add/remove this attr.

It doesn't seem to play to well when the history fills up though - if I
set HISTFILESIZE and HISTSIZE both to 10, after 10 history items have
accumulated it ceases to record anything.

I don't think trying to use the shell history as a security audit is
really going to fly.

Kind regards,


Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


Linux-cluster mailing list

Jayson Vantuyl
Systems Architect
Engine Yard

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]