Re: bash_history to track users

From: Sebastian Hans (hanss_at_in.tum.de)
Date: 11/15/03

Next message: Trystano_at_aol.com: "PKI in wireless transactions"

Previous message: sNeakEr: "Re: Accessing corporate servers through the web.."
In reply to: jrd_at_gerdesas.com: "Re: bash_history to track users"
Next in thread: Ansgar -59cobalt- Wiechers: "Re: bash_history to track users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 15 Nov 2003 15:26:08 +0100
To: security-basics@securityfocus.com

jrd@gerdesas.com wrote:
> Perhaps I am missing something here, but wouldn't modifying bash to syslog the
> activities be a little more secure in the long run? Especially if re-directing
> syslog entries to an external syslog server and not keeping them on the local,
> shell accessible boxes.
>
> It would also not be much more difficult then just logging to files.

Okay, but this still does not solve the alternate shell problem.
And just logging the command lines isn't enough either. Consider this:

~/.aliases contains bash aliases (sourced from ~/.bashrc).
Edit ~/.aliases to include the following line:

alias cat='echo "Evil.";sed -i "/^alias cat=/d" ~/.aliases;unalias cat;cat'

$ echo Harmless >harmless.txt
$ exec bash --login # Or just log out and log in again. Now cat is an alias.
$ cat harmless.txt
Evil.
Harmless
$ cat harmless.txt # Here cat is no longer an alias.
Harmless

In ~/.aliases there is no trace left of the evil alias.

.bash_history only shows this:

echo "Harmless" >harmless.txt
exec bash --login
cat harmless.txt
cat harmless.txt

As you can see, 'echo "Evil."' is not logged. You would have to change
bash to log command lines after expansion is performed and even then you
could get around it with scripts.

Ciao

Seb

-- 
/~\ The ASCII                          Sebastian Hans
\ / Ribbon Campaign                    hanss@in.tum.de
 X  Against HTML                         0x5AED1E6D
/ \ Email!           014C 4A54 FED4 C0B5 3E87  427B 6910 AB0A 5AED 1E6D

application/pgp-signature attachment: stored

Next message: Trystano_at_aol.com: "PKI in wireless transactions"

Previous message: sNeakEr: "Re: Accessing corporate servers through the web.."
In reply to: jrd_at_gerdesas.com: "Re: bash_history to track users"
Next in thread: Ansgar -59cobalt- Wiechers: "Re: bash_history to track users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: smarter history recall in bash
... Suppose I have typed the following commands in bash. ... is the backward search. ...
(comp.unix.shell)
Re: Bash process substitution error
... cat: write error: Bad file descriptor ... Am I wrong in syntax, semantics or is there a problem with bash, ... Cygwin or combination of these I am not aware of? ...
(comp.unix.shell)
Re: smarter history recall in bash
... Suppose I have typed the following commands in bash. ... then n or N ...
(comp.unix.shell)
why there is // ?
... cat /etc/profile.d/vim.sh ... # for bash and zsh, only if no alias is already set ... It seems that bash always treats multiple sequential '/' as one '/'. ...
(comp.unix.shell)
Using aliases or functions in bash script
... A bash alias expansion question -- ... How can I use my aliases or functions in my bash script? ... values of the shell options accepted by shopt are printed on ...
(Debian-User)