Re: bash_history set to zero length

kevin bailey wrote:

We all will try to help some more, with more details. Was this user
you? Was it a system user? Was it someone else? What was your 'big
nessus scan'. Do we all need to be aware of something new?

I log in to the server over ssh to carry out various tasks for which I
sometimes have to su to root.

Only one other user has access via ssh - this is a delveloper who updates
a website using winscp.

Generally, each user, including root, has his own .bash_history file in
his own home directory. When you log in as a normal user, you will use
that user's history. When you su to root, you will then use root's
history. The session history is actually only in memory until the session
is logged out. The existing history file on disk is not changed until
then, when the session history is appended to what is already on disk.
There are probably several easy ways to change that behavior if desired,
but it would need to be an intentional change.

The exception might be that your ssh connection is somehow not writing any
history file, and so that user never had anything written to file. I
can't tell you if that might be true, but it should be easy to check (and
correct if necessary).

So, for example, (normally) if you or anyone has ever logged on as
that user, and then issued any command-line command (including su), and
then logged out normally, then the session history will be written to disk
and the file will not be zero length. And that's exactly why a zero
length history is so "unusual". It is not difficult to determine if these
rules do actually apply to your system and this user by logging on as (or
su -ing to) this user and issue a command like ls, then log out and check
the file length for that user's history again.

There is (normally) no need to zero a history file, and no automatic
provision to do so. What you have written suggests to me that you may not
be entirely clear if it was due to your session or the other person's that
the history length is zero.

The only thing that has shown up is the bash_history file was zero length
one day when I su'd to root.

There is no other sign of intrusion that I can see via aide or chkrootkit.

These are both generally well regarded and valuable tools. I might be
wrong, but don't believe either is entirely infallible. Chrootkit looks
for specific things that are (or have been) found on compromised systems
(like zero-length history files). The fact that it doesn't find other
signs (or any) is not evidence that there has _not_ been illicit activity
or tampering. It is itself a shell script, subject to being edited or
changed, and subject to system commands being trusted, and so is best run
locally from a (live) CD.

Aide depends on a baseline data and system commands. It is also best
trusted when run locally using trusted, read only media.

Unfortunately, what needs to be kept in mind is that if and when a system
is compromised. nothing on that system can be trusted.

Server is debian sarge and everything is up-to-date.

I looked about and I had a few other sessions running on another workspace
on my laptop and they had become disconnected when the network cable had
become unplugged.

Maybe one of these disconnects cause the bash_history to become lost?

Many things might happen as a result of unexpected or non-standard
disconnections, etc. I would not expect plausible that zeroing a history
file length would be one of them. You could check it on your system with
a user that has a non-zero length history file to start with.

I would like to be able to suggest a simple reason for this, but cannot
outside of other possibilities already suggested. Until you find a
plausible rationale, I think you should keep looking, at least.

If you can populate a history file for this user, and cannot explain the
zero length file you found, you have to seriously consider malicious
activity. Hope you find the reason, and it is innocuous, but it doesn't
sound that way yet.

Good luck and please write back to tell us what you found.
.

Relevant Pages

  • Re: bash_history set to zero length
    ... that user's history. ... when the session history is appended to what is already on disk. ... and the file will not be zero length. ... su -ing to) this user and issue a command like ls, ...
    (comp.os.linux.security)
  • Re: where are previous searches stored?
    ... Each time that you type a URL in the address bar or click on a link in ... Internet Explorer browser, the URL address is automatically added to the ... view and edit the entire URL list that it stores inside the history file. ... This utility reads all information from the history file on your computer, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: I need to create a table for maintaining Employee history-HELP
    ... > "History file" can mean a lot of different things. ... > table then import it to Excel or a database file. ... > on a separate row with no empty rows in between & no additional 'copies' of ...
    (microsoft.public.word.docmanagement)
  • Re: [SLE] BASH History
    ... Randall wrote regarding 'BASH History' on Sat, ... > interactive BASH shells and one root shell running. ... > history file, and I end up with only one of those shells' history. ... file named by the value of HISTFILE is truncated, ...
    (SuSE)
  • Re: [SLE] BASH History
    ... >> interactive BASH shells and one root shell running. ... >> write the history file, and I end up with only one of those shells' ... > history file, otherwise the history file is overwritten. ...
    (SuSE)