Home page logo

basics logo Security Basics mailing list archives

Re: bash_history to track users
From: Sebastian Hans <hanss () in tum de>
Date: Sat, 15 Nov 2003 15:26:08 +0100

jrd () gerdesas com wrote:
Perhaps I am missing something here, but wouldn't modifying bash to syslog the
activities be a little more secure in the long run?  Especially if re-directing
syslog entries to an external syslog server and not keeping them on the local,
shell accessible boxes.  

It would also not be much more difficult then just logging to files.

Okay, but this still does not solve the alternate shell problem.
And just logging the command lines isn't enough either. Consider this:

~/.aliases contains bash aliases (sourced from ~/.bashrc).
Edit ~/.aliases to include the following line:

alias cat='echo "Evil.";sed -i "/^alias cat=/d" ~/.aliases;unalias cat;cat'

$ echo Harmless >harmless.txt
$ exec bash --login   # Or just log out and log in again. Now cat is an alias.
$ cat harmless.txt
$ cat harmless.txt    # Here cat is no longer an alias.

In ~/.aliases there is no trace left of the evil alias.

.bash_history only shows this:

echo "Harmless" >harmless.txt
exec bash --login
cat harmless.txt
cat harmless.txt

As you can see, 'echo "Evil."' is not logged. You would have to change
bash to log command lines after expansion is performed and even then you
could get around it with scripts.


/~\ The ASCII                          Sebastian Hans
\ / Ribbon Campaign                    hanss () in tum de
 X  Against HTML                         0x5AED1E6D
/ \ Email!           014C 4A54 FED4 C0B5 3E87  427B 6910 AB0A 5AED 1E6D

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]