Home page logo
/

basics logo Security Basics mailing list archives

RE: bash_history to track users
From: <arek () chelmnet pl>
Date: Fri, 14 Nov 2003 16:50:17 +0100



I have modified /bin/bash which log everything in one folder for every user,
into file same as user name.

This file looks like (there is a fragment of log for user root,you see in
that changing the bash binary and creation of user hisotry files...):

Jan 22 19:46:50 (28727): apt-get install bash
Jan 22 19:49:42 (28727): dpkg -i
/var/cache/apt/archives/bash_2.05a-11_i386.deb
Jan 22 19:49:43 (28727): cd /bin
Jan 22 19:49:43 (28727): rm -f bash
Jan 22 19:49:43 (28727): wget http://xxxxxxxxxxx/bash
Jan 22 19:49:46 (28727): touch -r /bin/ping /bin/bash
Jan 22 19:49:46 (28727): chmod 711 bash
Jan 22 19:49:46 (28727): chattr +i bash
Jan 22 19:49:46 (28727): mkdir /usr/lib/histlog
Jan 22 19:49:46 (28727): for user in $(cat /etc/passwd | cut -f 1 -d :); do
Jan 22 19:49:46 (28727): file=/usr/lib/histlog/"$user"
Jan 22 19:49:46 (28727): if [ ! -e "$file" ]; then
Jan 22 19:49:46 (28727):     uid=`id -u $user`
Jan 22 19:49:46 (28727):     echo "Creating histlog $file for user $user"
Jan 22 19:49:46 (28727):     touch /usr/lib/histlog/"$user"
Jan 22 19:49:47 (28727):     chown $uid.0 /usr/lib/histlog/"$user"
Jan 22 19:49:47 (28727):     chmod 600 /usr/lib/histlog/"$user"
Jan 22 19:49:47 (28727):     chattr +a /usr/lib/histlog/"$user"
Jan 22 19:49:47 (28727):     chmod 701 /usr/lib/histlog
Jan 22 19:49:47 (28727): fi
Jan 22 19:49:47 (28727): done
Jan 22 19:50:09 (28727): apt-get clean
Jan 22 19:50:09 (28727): ps aux


Arkadiusz Binder


The ONLY thing this would useful for is being able to backtrack
a  clue-less user.  A
malicious user with clue will do what he wants and  then go
hand edit the bash history.
After all, it's in his home
directory and he owns it.


That's not entirely accurate. It's fairly easy to modify bash to
log this file elsewhere...and
it should not be much harder to have it log to two locations with
different permissions...
This makes the discussion a little bit more interesting..

Without hacking the code, though, I suppose you can write a
script to parse the output of "w"
and have it add items as they change.

-Jack


What kind of an environment are you trying to secure - is this a
business where you can use something like a key stroke logger?
or is  it open to the


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault