|
Full Disclosure
mailing list archives
Re: encrypt the bash history
From: Peter Maxwell <peter () allicient co uk>
Date: Sun, 6 Feb 2011 13:55:55 +0000
To be honest, none of these methods will actually be effective: root can do
what he/she likes, including monitoring *everything* you do. Worrying about
shell history is not going to solve anything.
Your only choices are to trust root, or setup your own host.
Peter Maxwell
On 6 February 2011 11:21, Zerial. <fernando () zerial org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/11 16:36, Erik Falor wrote:
On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/11 16:13, Valdis.Kletnieks () vt edu wrote:
On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
what is the best way to encrypt the bash_history file?
I try using crypt/decrypt with GPG when login/logout. It works, but
not
safe enough.
Explain what the threat model is, and why GPG isn't safe enough? It's
kind of
hard to recommend "best" when we don't understand what the criteria
are...
The "way" is not safe enough. root can login as me (su - user) and
bash_history will be decrypted. I try to find any better way to crypt
and make unreadable the bash_history file from any other users,
including root.
Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.
This is the problem on my "way" to protect/crypt the bash_history.
A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:
unset HISTFILE
HISTSIZE=0
You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace
More fine-grained control can be achieved with the HISTIGNORE
variable. See the 'Shell Variables' section of the bash(1) manpage.
Finally, I wrote these functions to toggle history recording on/off
in a shell. I like how this works, when I remember to run it beforehand:
# turn off history recording
function offtherecord()
{
if [[ -n "$HISTFILE" ]]; then
OLDHISTFILE=$HISTFILE
unset HISTFILE
fi
if [[ -n "$HISTSIZE" ]]; then
OLDHISTSIZE=$HISTSIZE
HISTSIZE=0
fi
}
# turn on history recording
function ontherecord()
{
if [[ -n "$OLDHISTFILE" ]]; then
HISTFILE=$OLDHISTFILE
unset OLDHISTFILE
fi
if [[ -n "$HISTSIZE" ]]; then
HISTSIZE=$OLDHISTSIZE
unset OLDHISTSIZE
fi
}
Once you've run offtherecord, you lose all of your history for that shell
until
you log back in.
Nice tip, but this solution doesn't work for me. I don't wanna avoid
logging commands nor delete the bash history nor hide the commands. I
wanna "encrypt" the file. I don't wanna miss commands which I executed.
Another solution may be copy and move the history file from the server
to the client, saving the bash_history on client side. But ... this will
not work if I connect using client as putty.
thanks for the asnwer,
- --
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial () jabberes org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
=OVc7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
Re: encrypt the bash history Daniƫl W . Crompton (Feb 07)
|
