Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: encrypt the bash history
From: Peter Maxwell <peter () allicient co uk>
Date: Sun, 6 Feb 2011 13:55:55 +0000

To be honest, none of these methods will actually be effective: root can do
what he/she likes, including monitoring *everything* you do.  Worrying about
shell history is not going to solve anything.

Your only choices are to trust root, or setup your own host.

Peter Maxwell


On 6 February 2011 11:21, Zerial. <fernando () zerial org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/11 16:36, Erik Falor wrote:
On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/11 16:13, Valdis.Kletnieks () vt edu wrote:
On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
what is the best way to encrypt the bash_history file?
I try using crypt/decrypt with GPG when login/logout. It works, but
not
safe enough.

Explain what the threat model is, and why GPG isn't safe enough?  It's
kind of
hard to recommend "best" when we don't understand what the criteria
are...


The "way" is not safe enough. root can login as me (su - user) and
bash_history will be decrypted. I try to find any better way to crypt
and make unreadable the bash_history file from any other users,
including root.

Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.

This is the problem on my "way" to protect/crypt the bash_history.

 A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:

unset HISTFILE
HISTSIZE=0

You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace

More fine-grained control can be achieved with the HISTIGNORE
variable.  See the 'Shell Variables' section of the bash(1) manpage.

Finally, I wrote these functions to toggle history recording on/off
in a shell.  I like how this works, when I remember to run it beforehand:

# turn off history recording
function offtherecord()
{
    if [[ -n "$HISTFILE" ]]; then
        OLDHISTFILE=$HISTFILE
        unset HISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        OLDHISTSIZE=$HISTSIZE
        HISTSIZE=0
    fi
}

# turn on history recording
function ontherecord()
{
    if [[ -n "$OLDHISTFILE" ]]; then
        HISTFILE=$OLDHISTFILE
        unset OLDHISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        HISTSIZE=$OLDHISTSIZE
        unset OLDHISTSIZE
    fi
}

Once you've run offtherecord, you lose all of your history for that shell
until
you log back in.


Nice tip, but this solution doesn't work for me. I don't wanna avoid
logging commands nor delete the bash history nor hide the commands. I
wanna "encrypt" the file. I don't wanna miss commands which I executed.

Another solution may be copy and move the history file from the server
to the client, saving the bash_history on client side. But ... this will
not work if I connect using client as putty.


thanks for the asnwer,



- --
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial () jabberes org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
=OVc7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault