Tuesday, 19th March 2024

Comment posted How to make sure your Linux system users won’t hide or delete their .bash_history / Securing .bash_history file – Protect Linux system users shell history by .

Recent comments by

Share this on:

Tags: , , , , , , , , , ,

No Responses to “…”

  1. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    Download own statically compiled bash, run it on top. You’d need to poll /proc/[0-9]+/exe say once every 10 seconds to stop this one and I wouldn’t have to use horrible csh 🙂

    Also, you say chattr +a allows deletion, I don’t know what kernel you are running but under OpenSUSE’s version of 2.6.34.7 it doesn’t allow deletion and if it does in mainline (which I find a bit hard to believe) then you could easily patch it not to.

    Thanks for the other commands though, not being a sysadmin anymore they’re not really relevant and I would only rely on process accounting to account for process activity, none-the-less, interesting read.

    View CommentView Comment
  2. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    BTW, a lot of those attributes aren’t respected by filesystems, the “secure delete” being a prime example, ext2 ext3 are explicitly mentioned as ignoring it in the manual, I tested it with ext4 and ext4 too takes no notice. I filed a bug on it and the response made me believe there are other attribs commonly ignored – you should test they actually work with your file system before relying on them.

    View CommentView Comment
  3. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    And from bash man page:

    –noprofile
    Do not read either the system-wide startup file /etc/profile or any of the personal initialization files ~/.bash_profile, ~/.bash_login, or ~/.profile. By default, bash reads these files when it is invoked as a login shell (see INVOCATION below).

    So I gave it a little try and viola, a login shell without downloading my own where I can unset HISTFILE 🙂

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Thanks for all the feedback Rob! That’s a good points to expose how hardly Linux can be secured nowadays.

      Best,
      Georgi

      View CommentView Comment
  4. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    And then there is history -c …

    View CommentView Comment
  5. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    rob@bob:~/tmp/foo> exec env -i bash –noprofile –norc
    bash-4.1$ unset HISTFILE

    View CommentView Comment
  6. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    You could of course patch bash to not have these options, but you were correct in saying “it won’t a 100% guaranttee that a good cracker won’t be able to come up with a way to get around the imposed .bash_history security measures.”

    I’m far from a good cracker 🙂 I bet there are other ways around it too.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Yes that’s completely through but then again you need to temper with the default system settings 🙂

      View CommentView Comment
  7. Rob Fortune says:
    Google Chrome 7.0.528.0 Google Chrome 7.0.528.0 openSUSE openSUSE
    Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8

    Do you have python or perl installed? A quick REPL loop that executes system calls and you have a very lame bash with no history 🙂

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Yes you’re absolutely correct. What I meant by this post was just to give a basic overview on the current ways to improve a lame person who has access to the shell not to be able to delete their history. I know it’s far from superior 🙂

      View CommentView Comment
  8. Ali Rabiee says:
    Firefox 4.0 Firefox 4.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0

    Thank you, the post’s and the comments’ authors.

    View CommentView Comment
  9. Milo says:
    Firefox 3.5.18 Firefox 3.5.18 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110319 Firefox/3.5.18 (.NET CLR 3.5.30729)

    To prevent saving session-history to .bash_history:
    $  ps
      PID TTY          TIME CMD
    13803 pts/4    00:00:00 bash
    15368 pts/4    00:00:00 ps

    $  kill -9 13803
    Kill the login-shell process instead of logging out the normal way.

    View CommentView Comment
    • hip0 says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      I used to do this quite often in the past. I’ve forgotten of this. good tip thx 🙂

      View CommentView Comment