Comment posted How to make sure your Linux system users won’t hide or delete their .bash_history / Securing .bash_history file – Protect Linux system users shell history by .
Recent comments by
Tags: cd home, command, default user, dev, history, How to, How to make sure your Linux system users won't hide or delete their .bash_history / Securing .bash_history file, liner, linux?, root server, swiss army knife
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
Download own statically compiled bash, run it on top. You’d need to poll /proc/[0-9]+/exe say once every 10 seconds to stop this one and I wouldn’t have to use horrible csh 🙂
Also, you say chattr +a allows deletion, I don’t know what kernel you are running but under OpenSUSE’s version of 2.6.34.7 it doesn’t allow deletion and if it does in mainline (which I find a bit hard to believe) then you could easily patch it not to.
Thanks for the other commands though, not being a sysadmin anymore they’re not really relevant and I would only rely on process accounting to account for process activity, none-the-less, interesting read.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
BTW, a lot of those attributes aren’t respected by filesystems, the “secure delete” being a prime example, ext2 ext3 are explicitly mentioned as ignoring it in the manual, I tested it with ext4 and ext4 too takes no notice. I filed a bug on it and the response made me believe there are other attribs commonly ignored – you should test they actually work with your file system before relying on them.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
And from bash man page:
–noprofile
Do not read either the system-wide startup file /etc/profile or any of the personal initialization files ~/.bash_profile, ~/.bash_login, or ~/.profile. By default, bash reads these files when it is invoked as a login shell (see INVOCATION below).
So I gave it a little try and viola, a login shell without downloading my own where I can unset HISTFILE 🙂
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Thanks for all the feedback Rob! That’s a good points to expose how hardly Linux can be secured nowadays.
Best,
View CommentView CommentGeorgi
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
And then there is history -c …
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
rob@bob:~/tmp/foo> exec env -i bash –noprofile –norc
View CommentView Commentbash-4.1$ unset HISTFILE
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
You could of course patch bash to not have these options, but you were correct in saying “it won’t a 100% guaranttee that a good cracker won’t be able to come up with a way to get around the imposed .bash_history security measures.”
I’m far from a good cracker 🙂 I bet there are other ways around it too.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Yes that’s completely through but then again you need to temper with the default system settings 🙂
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.528.0 (KHTML, like Gecko) Chrome/7.0.528.0 Safari/534.8
Do you have python or perl installed? A quick REPL loop that executes system calls and you have a very lame bash with no history 🙂
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Yes you’re absolutely correct. What I meant by this post was just to give a basic overview on the current ways to improve a lame person who has access to the shell not to be able to delete their history. I know it’s far from superior 🙂
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Thank you, the post’s and the comments’ authors.
View CommentView CommentMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110319 Firefox/3.5.18 (.NET CLR 3.5.30729)
To prevent saving session-history to .bash_history:
$ ps
PID TTY TIME CMD
13803 pts/4 00:00:00 bash
15368 pts/4 00:00:00 ps
$ kill -9 13803
View CommentView CommentKill the login-shell process instead of logging out the normal way.
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
I used to do this quite often in the past. I’ve forgotten of this. good tip thx 🙂
View CommentView Comment