Re: bash_history to track users

From: Sebastian Hans (hanss_at_in.tum.de)
Date: 11/15/03

  • Next message: Trystano_at_aol.com: "PKI in wireless transactions"
    Date: Sat, 15 Nov 2003 15:26:08 +0100
    To: security-basics@securityfocus.com
    
    
    

    jrd@gerdesas.com wrote:
    > Perhaps I am missing something here, but wouldn't modifying bash to syslog the
    > activities be a little more secure in the long run? Especially if re-directing
    > syslog entries to an external syslog server and not keeping them on the local,
    > shell accessible boxes.
    >
    > It would also not be much more difficult then just logging to files.

    Okay, but this still does not solve the alternate shell problem.
    And just logging the command lines isn't enough either. Consider this:

    ~/.aliases contains bash aliases (sourced from ~/.bashrc).
    Edit ~/.aliases to include the following line:

    alias cat='echo "Evil.";sed -i "/^alias cat=/d" ~/.aliases;unalias cat;cat'

    $ echo Harmless >harmless.txt
    $ exec bash --login # Or just log out and log in again. Now cat is an alias.
    $ cat harmless.txt
    Evil.
    Harmless
    $ cat harmless.txt # Here cat is no longer an alias.
    Harmless

    In ~/.aliases there is no trace left of the evil alias.

    .bash_history only shows this:

    echo "Harmless" >harmless.txt
    exec bash --login
    cat harmless.txt
    cat harmless.txt

    As you can see, 'echo "Evil."' is not logged. You would have to change
    bash to log command lines after expansion is performed and even then you
    could get around it with scripts.

    Ciao

    Seb

    -- 
    /~\ The ASCII                          Sebastian Hans
    \ / Ribbon Campaign                    hanss@in.tum.de
     X  Against HTML                         0x5AED1E6D
    / \ Email!           014C 4A54 FED4 C0B5 3E87  427B 6910 AB0A 5AED 1E6D
    
    



  • Next message: Trystano_at_aol.com: "PKI in wireless transactions"

    Relevant Pages

    • Re: smarter history recall in bash
      ... Suppose I have typed the following commands in bash. ...     then n or N ...
      (comp.unix.shell)
    • Re: smarter history recall in bash
      ... Suppose I have typed the following commands in bash. ... is the backward search. ...
      (comp.unix.shell)
    • Re: Bash process substitution error
      ... cat: write error: Bad file descriptor ... Am I wrong in syntax, semantics or is there a problem with bash, ... Cygwin or combination of these I am not aware of? ...
      (comp.unix.shell)
    • why there is // ?
      ... cat /etc/profile.d/vim.sh ... # for bash and zsh, only if no alias is already set ... It seems that bash always treats multiple sequential '/' as one '/'. ...
      (comp.unix.shell)
    • Using aliases or functions in bash script
      ... A bash alias expansion question -- ... How can I use my aliases or functions in my bash script? ... values of the shell options accepted by shopt are printed on ...
      (Debian-User)