JP Vossen on 1 Sep 2007 06:31:54 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] shell script help...


Date: Sat, 1 Sep 2007 01:29:42 -0400
From: Matthew Rosewarne <mukidohime@case.edu>
Subject: Re: [PLUG] shell script help...

On Saturday 01 September 2007, Mag Gam wrote:
> > I am in the process of writing a shell script to take history file
> > (fc -l) and backup it up, while appending it.
> >
> > My strategy is, once the user exits out of his shell, i will dump
> > the history into a file by using a trap() with EXIT. The file will
> > be appended by the username... (ie, username.history.date

> I would not attempt to rely on this for any measure of security, as it
> can be easily circumvented by users.

I strongly agree. To the best of my knowledge there is *no way* to do this without using a modified kernel (or maybe kernel module) that captures keystrokes. This is discussed in _Know Your Enemy_ on pages 38-40 and is probably covered in various places at http://honeynet.org/.

Someone above noted that you can lock down shells by editing /etc/shells, but that won't prevent someone from simply running a different shell. You could attempt to remove all shells but bash from the system, then try to implement some trap/history scheme as described, but I'd bet *something* on the system will break if you do that.

Bash's history is pretty handy (try 'help fc' and 'help history') but it's not intended for security or auditing.

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug