Home page logo
/

basics logo Security Basics mailing list archives

Re: bash_history to track users
From: "Joe Szilagyi" <js () axxs net>
Date: Thu, 13 Nov 2003 12:58:51 -0500

Hi,

Sorry for the delay in getting back to this. I want to log this activity on
a Red Hat server where multiple users log in as 'root'. Not really hunting
for malicious activity, just to see if the bash_history can record the login
IP or hostname. Some users come in from different locations, so it's more of
a security/activity accounting thing. For the time being, worries about
users trying eliminate the history aren't really a concern, simply logging
the activities of users coming in from different hosts (and separating their
commands by host) is.

Regards,
Joe




----- Original Message ----- 
From: "Jack Whitsitt (jofny)" <seclists () violating us>
To: <>
Sent: Wednesday, November 12, 2003 11:39 AM
Subject: Re: bash_history to track users


The ONLY thing this would useful for is being able to backtrack a
clue-less user.  A
malicious user with clue will do what he wants and  then go hand edit the
bash history.
After all, it's in his home
directory and he owns it.


That's not entirely accurate. It's fairly easy to modify bash to log this
file elsewhere...and
it should not be much harder to have it log to two locations with different
permissions...
This makes the discussion a little bit more interesting..

Without hacking the code, though, I suppose you can write a script to parse
the output of "w"
and have it add items as they change.

-Jack


What kind of an environment are you trying to secure - is this a
business where you can use something like a key stroke logger? or is  it
open to the
internet?

Thanks,

Jimi


At 12:44 AM -0500 11/6/03, Joe Szilagyi wrote:
Hi everyone,

Is there any way to totally keep track of users, to the degree of adding
timestamps and
hostnames to each entry in the server's .bash_history files?

The especially wonderful thing would be able to have .bash_history record
the IP/hostname
the person responsible is logging in from, i.e., if I'm in as root from
host
'barney.gumble.com', and I run command 'y', I want history to show like,
this, and same
from other people logging in...


114 barney.gumble.com passwd marge
115 barney.gumble.com adduser moe
116 65.23.18.95 cd /etc/conf/httpd
117 65.23.18.95 vi httpd.conf
118 barney.gumble.com pico .bachrc


...and so on. Is this possible?
_____________________
Regards, Joe






---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault