Re: bash_history to track users

From: Sebastian Hans (hanss_at_in.tum.de)
Date: 11/15/03

  • Next message: Trystano_at_aol.com: "PKI in wireless transactions"
    Date: Sat, 15 Nov 2003 15:26:08 +0100
    To: security-basics@securityfocus.com
    
    
    

    jrd@gerdesas.com wrote:
    > Perhaps I am missing something here, but wouldn't modifying bash to syslog the
    > activities be a little more secure in the long run? Especially if re-directing
    > syslog entries to an external syslog server and not keeping them on the local,
    > shell accessible boxes.
    >
    > It would also not be much more difficult then just logging to files.

    Okay, but this still does not solve the alternate shell problem.
    And just logging the command lines isn't enough either. Consider this:

    ~/.aliases contains bash aliases (sourced from ~/.bashrc).
    Edit ~/.aliases to include the following line:

    alias cat='echo "Evil.";sed -i "/^alias cat=/d" ~/.aliases;unalias cat;cat'

    $ echo Harmless >harmless.txt
    $ exec bash --login # Or just log out and log in again. Now cat is an alias.
    $ cat harmless.txt
    Evil.
    Harmless
    $ cat harmless.txt # Here cat is no longer an alias.
    Harmless

    In ~/.aliases there is no trace left of the evil alias.

    .bash_history only shows this:

    echo "Harmless" >harmless.txt
    exec bash --login
    cat harmless.txt
    cat harmless.txt

    As you can see, 'echo "Evil."' is not logged. You would have to change
    bash to log command lines after expansion is performed and even then you
    could get around it with scripts.

    Ciao

    Seb

    -- 
    /~\ The ASCII                          Sebastian Hans
    \ / Ribbon Campaign                    hanss@in.tum.de
     X  Against HTML                         0x5AED1E6D
    / \ Email!           014C 4A54 FED4 C0B5 3E87  427B 6910 AB0A 5AED 1E6D
    
    



  • Next message: Trystano_at_aol.com: "PKI in wireless transactions"