[Linux-cluster] Quick off topic question
Jayson Vantuyl
jvantuyl at engineyard.com
Wed Jan 10 21:17:02 UTC 2007
In bash, shell history can be disabled with the command:
unset HISTFILE
It wasn't intended to be and isn't suitable for any form of security
tracking. Not to mention that at any point the intruder could
manually execute a non-interactive shell which wouldn't log either.
I'd really recommend the auditing infrastructure.
On Jan 10, 2007, at 1:59 PM, Bryn M. Reeves wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kit Gerrits wrote:
>> Keep in mind, that Bash does some interesting tricks with its
>> bash_history.
>> (like maintaining a single history per session and fusing them
>> afterwards).
>>
>> It might be a good idea to mail&wipe the .bash_history file upon
>> logout.
>>
>>
>> If you want to use the .bash_history file for autiding:
>> Some O/S'es / filesystems allow write-only access to files.
>> This would make sure the user cannot 'edit' the file to remove any
>> traces.
>> (This is usually limited to /var/log, so I don't know if it can be
>> applied
>> to a single file)
>>
>
> Ext3 allows something close to this. Using its extended attributes you
> can mark a file as append only (chattr +a <file>). Only the root
> account
> can add/remove this attr.
>
> It doesn't seem to play to well when the history fills up though -
> if I
> set HISTFILESIZE and HISTSIZE both to 10, after 10 history items have
> accumulated it ceases to record anything.
>
> I don't think trying to use the shell history as a security audit is
> really going to fly.
>
> Kind regards,
>
> Bryn.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFFpUWg6YSQoMYUY94RAodyAJwPqvhL6kjsuNtk+41fjCTTm42WCQCfePBG
> Ej02a3O1mY8reqbN/8KqRDM=
> =mSYq
> -----END PGP SIGNATURE-----
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
--
Jayson Vantuyl
Systems Architect
Engine Yard
jvantuyl at engineyard.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-cluster/attachments/20070110/c3b25fa1/attachment.htm>
More information about the Linux-cluster
mailing list