Re: bash_history to track users
From: Sebastian Hans (hanss_at_in.tum.de)
Date: Sat, 15 Nov 2003 15:26:08 +0100 To: firstname.lastname@example.org
> Perhaps I am missing something here, but wouldn't modifying bash to syslog the
> activities be a little more secure in the long run? Especially if re-directing
> syslog entries to an external syslog server and not keeping them on the local,
> shell accessible boxes.
> It would also not be much more difficult then just logging to files.
Okay, but this still does not solve the alternate shell problem.
And just logging the command lines isn't enough either. Consider this:
~/.aliases contains bash aliases (sourced from ~/.bashrc).
Edit ~/.aliases to include the following line:
alias cat='echo "Evil.";sed -i "/^alias cat=/d" ~/.aliases;unalias cat;cat'
$ echo Harmless >harmless.txt
$ exec bash --login # Or just log out and log in again. Now cat is an alias.
$ cat harmless.txt
$ cat harmless.txt # Here cat is no longer an alias.
In ~/.aliases there is no trace left of the evil alias.
.bash_history only shows this:
echo "Harmless" >harmless.txt
exec bash --login
As you can see, 'echo "Evil."' is not logged. You would have to change
bash to log command lines after expansion is performed and even then you
could get around it with scripts.
-- /~\ The ASCII Sebastian Hans \ / Ribbon Campaign email@example.com X Against HTML 0x5AED1E6D / \ Email! 014C 4A54 FED4 C0B5 3E87 427B 6910 AB0A 5AED 1E6D
- application/pgp-signature attachment: stored