Full Disclosure: Re: encrypt the bash history

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: encrypt the bash history

From: Erik Falor <ewfalor () gmail com>
Date: Fri, 4 Feb 2011 12:36:40 -0700

On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/11 16:13, Valdis.Kletnieks () vt edu wrote:

On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:

what is the best way to encrypt the bash_history file?
I try using crypt/decrypt with GPG when login/logout. It works, but not
safe enough.


Explain what the threat model is, and why GPG isn't safe enough?  It's kind of
hard to recommend "best" when we don't understand what the criteria are...


The "way" is not safe enough. root can login as me (su - user) and
bash_history will be decrypted. I try to find any better way to crypt
and make unreadable the bash_history file from any other users,
including root.


Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.  A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:

unset HISTFILE
HISTSIZE=0

You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace

More fine-grained control can be achieved with the HISTIGNORE
variable.  See the 'Shell Variables' section of the bash(1) manpage.

Finally, I wrote these functions to toggle history recording on/off
in a shell.  I like how this works, when I remember to run it beforehand:

# turn off history recording
function offtherecord()
{
    if [[ -n "$HISTFILE" ]]; then
        OLDHISTFILE=$HISTFILE
        unset HISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        OLDHISTSIZE=$HISTSIZE
        HISTSIZE=0
    fi
}

# turn on history recording
function ontherecord()
{
    if [[ -n "$OLDHISTFILE" ]]; then
        HISTFILE=$OLDHISTFILE
        unset OLDHISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        HISTSIZE=$OLDHISTSIZE
        unset OLDHISTSIZE
    fi
}

Once you've run offtherecord, you lose all of your history for that shell until
you log back in.

-- 
Erik Falor
Registered Linux User #445632 http://counter.li.org

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
  - Re: encrypt the bash history Zerial. (Feb 04)
    - Re: encrypt the bash history Erik Falor (Feb 04)
    - Re: encrypt the bash history Zerial. (Feb 06)
    - Re: encrypt the bash history Rodrigo Rubira Branco (BSDaemon) (Feb 06)
    - Re: encrypt the bash history Peter Maxwell (Feb 06)
    - Re: encrypt the bash history Emanuel dos Reis Rodrigues (Feb 06)
    - Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Daniël W . Crompton (Feb 07)
- <Possible follow-ups>
- Re: encrypt the bash history Zach C. (Feb 06)
  - Re: encrypt the bash history Cal Leeming [Simplicity Media Ltd] (Feb 07)
  - Re: encrypt the bash history Champ Clark III [Softwink] (Feb 08)