Re: bash_history

From: Daniel Cid (danielcid_at_yahoo.com.br)
Date: 04/09/05

  • Next message: l0rd4gu1: "Re: bash_history" 
    Date: Sat, 9 Apr 2005 00:12:35 -0300 (ART)
To: Alejandro Flores <alejandro.flores@triforsec.com.br>, security-basics@securityfocus.com

    Hi Alejandro,

    Only changing the permissions of the .bash_profile and
    .bashrc is not sufficient. A user would still be able
    to delete the .bash_history file or change the
    histfile/histsize in the environment.

    One solution for that is to specify the HISTFILE and
    HISTSIZE as readonly (readonly -a HISTFILE; readonly
    -a HISTSIZE). The second is to specify the attributes
    for the HISTFILE as "append only" (using chattr or
    chflags *depending on the system).

    However, these solutions are not perfect and some
    "smart" attacker can bypass some of these protections.

    Maybe using some form of tty logging is the best
    solution (altough the users will not like it very
    much).

    See you, 

    --
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail. com
--- Alejandro Flores
<alejandro.flores@triforsec.com.br> wrote:
> Hey there,
> 
> I was googling about a way to protect the
> bash_history file from user
> removal or UNSET the HISTFILE variable and all I
> found was papers about
> disabling this file for security reasons. Weird! Why
> it's recommended to
> disable this file, when it contains the history of
> typed commands from
> all users? Ok, ok, you can tell me that users may
> have typed passwords
> in a bash session to gain access to a mysql database
> for example. 
> But, if you need to do some forensics in your
> compromised server, this
> file is the first place to know what the 'malicious
> dude' did to gain
> root privileges, the server where he downloaded his
> craps, etc...
> I started 'chown'ing the .bash_profile and .bashrc
> files to root, and
> removed the 'wx' from group and others. The user has
> only read
> permission.
> But I can't prevent him from changing the HISTFILE
> variable. Like:
> export HISTFILE=/dev/null
> With this command, all my steps from now aren't
> recorded.
> 
> Ideas?
> 
> Regards,
> Alejandro Flores
> 
> 
>
---------------------------------------------------------------------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly
> qualified information security 
> professionals.  Norwich University is fulfilling
> this demand with its MS in 
> Information Security offered online.  Recognized by
> the NSA as an 
> academically excellent program, NU offers you the
> opportunity to earn your 
> degree without disrupting your home or work life.
> 
> http://www.msia.norwich.edu/secfocus_en
>
----------------------------------------------------------------------------
> 
> 
	
	
		
Yahoo! Acesso Grátis - Internet rápida e grátis. 
Instale o discador agora! http://br.acesso.yahoo.com/
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
  • Next message: l0rd4gu1: "Re: bash_history"
    • Quantcast