Re: bash_history to track users

jrd_at_gerdesas.com
Date: 11/14/03

  • Next message: Jerry: "Re: Linux for newbies"
    To: hanss@in.tum.de (Sebastian Hans)
    Date: Fri, 14 Nov 2003 14:02:31 -0600 (CST)
    
    

    Perhaps I am missing something here, but wouldn't modifying bash to syslog the
    activities be a little more secure in the long run? Especially if re-directing
    syslog entries to an external syslog server and not keeping them on the local,
    shell accessible boxes.

    It would also not be much more difficult then just logging to files.

                                                            John

    In previous mail, Sebastian Hans spouted...
    >
    > --3V7upXqbjpZ4EhLz
    > Content-Type: text/plain; charset=us-ascii
    > Content-Disposition: inline
    > Content-Transfer-Encoding: quoted-printable
    >
    > Jack Whitsitt (jofny) wrote:
    > > > The ONLY thing this would useful for is being able to backtrack a clue=
    > -less user. A
    > > > malicious user with clue will do what he wants and then go hand edit t=
    > he bash history.
    > > > After all, it's in his home
    > > > directory and he owns it.
    > > >
    > >=20
    > > That's not entirely accurate. It's fairly easy to modify bash to log this=
    > file elsewhere...and
    > > it should not be much harder to have it log to two locations with differe=
    > nt permissions...
    >
    > But not too different. The user must still have write access. Otherwise,
    > how would the shell write to it? If the shell can write to it, so can
    > the user. Anyway, what if the user has more than one instance running?
    > =2Ebash_history only has the history of one instance. Or tcsh? Or any
    > other shell for that matter?
    >
    > > Without hacking the code, though, I suppose you can write a script to par=
    > se the output of "w"
    > > and have it add items as they change.
    >
    > But this only catches
    > (1) the foreground process, not processes running in the background
    > (you could parse the output of ps instead) and
    > (2) processes that are running while you are doing the w (or ps). Some
    > could slip through.
    >
    > Seb
    > --=20
    > /~\ The ASCII Sebastian Hans
    > \ / Ribbon Campaign hanss@in.tum.de
    > X Against HTML 0x5AED1E6D
    > / \ Email! 014C 4A54 FED4 C0B5 3E87 427B 6910 AB0A 5AED 1E6D
    >
    > --3V7upXqbjpZ4EhLz
    > Content-Type: application/pgp-signature
    > Content-Disposition: inline
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.3 (GNU/Linux)
    >
    > iD8DBQE/tKkvaRCrClrtHm0RAkVHAJ9YYIAbwUes2kSm3W35p/3HUrmO3QCgit5b
    > 7utsy394lfZ9pKXhp/9Ebhw=
    > =sbeK
    > -----END PGP SIGNATURE-----
    >
    > --3V7upXqbjpZ4EhLz--
    >

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: Jerry: "Re: Linux for newbies"

    Relevant Pages

    • syslog consolidation
      ... I am looking into consolidation tools for syslog and syslog daemon replacement and would like to hear from the list on your experiences. ... Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • Re: Issues with creating a shell script.
      ... Chris Mattern wrote: ... what shell you're using would be good, ... According to "logger $1" and my syslog server, $1 is the block of text ... It appears to be creating a 1kb file with binary data (edit ...
      (comp.unix.shell)
    • RE: syslog consolidation
      ... I am looking into consolidation tools for syslog and syslog daemon ... Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE ... The Presidio integrates PGP data encryption and XML Web Services ...
      (Security-Basics)
    • Re: bash_history to track users
      ... Yes and no. Having every user's input logged to syslog would most likely ... Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • Re: Non registering shell
      ... > wrote a shell which made his work invisible. ... The kernel keeps track of all running ... To be 'immune' from syslog, use programs that don't send syslogs, ...
      (Vuln-Dev)