Securing .bash_history in All Things Unix

Securing .bash_history in All Things Unix http://www.dslreports.com/forum/r20317535 en Thu, 04 Dec 2008 17:29:53 EDT Thu, 04 Dec 2008 17:29:53 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20318055 bky : Yep. ext(all versions), jfs, xfs, and reiser all support extended attributes.]]> http://www.dslreports.com/forum/remark,20318055 Fri, 11 Apr 2008 13:06:46 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20318033 evilghost :

said by BeesTea

:

Sorry, skimmed the chattr sentence and went to the first code block. Not enough coffee this morning I guess.

Again, great post.

Thanks again, glad I understood chattr to be what it is. Obviously chattr is only going to be applicable to an ext filesystem. I would assume ReiserFS and XFS have similar fs attribute settings...]]> http://www.dslreports.com/forum/remark,20318033 Fri, 11 Apr 2008 13:02:44 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20318023 BeesTea : Sorry, skimmed the chattr sentence and went to the first code block. Not enough coffee this morning I guess.

Again, great post.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20318023 Fri, 11 Apr 2008 13:00:02 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20317987 bky :

said by BeesTea

:

It's important to note that this only stops the intruder from remapping the history file and doesn't stop the filesystem based vectors to achieve the same goal. Linking ~/.bash_history to /dev/null is still possible, etc.

Actually, an append-only attribute would prevent the user from doing this.]]> http://www.dslreports.com/forum/remark,20317987 Fri, 11 Apr 2008 12:53:21 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20317982 evilghost :

said by BeesTea

:

Excellent post.

It's important to note that this only stops the intruder from remapping the history file and doesn't stop the filesystem based vectors to achieve the same goal. Linking ~/.bash_history to /dev/null is still possible, etc.

Not trying to dissuade anyone from following the profile hardening method, just trying to encourage people to view the attack from all vantage points.

Thanks!

Can you expand on that? I was under the impression the chattr +a would cover that (or are you speaking with regard to the readonly export settings)? Thanks for your input

]]> http://www.dslreports.com/forum/remark,20317982 Fri, 11 Apr 2008 12:52:18 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20317871 BeesTea : Excellent post.

It's important to note that this only stops the intruder from remapping the history file and doesn't stop the filesystem based vectors to achieve the same goal. Linking ~/.bash_history to /dev/null is still possible, etc.

Not trying to dissuade anyone from following the profile hardening method, just trying to encourage people to view the attack from all vantage points.

Thanks!
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20317871 Fri, 11 Apr 2008 12:18:58 EDT Re: Securing .bash_history http://www.dslreports.com/forum/remark,20317614 bky : Excellent hardening tip, thanks. Also keeps the user from exporting a different value for histfile, such as /dev/null.]]> http://www.dslreports.com/forum/remark,20317614 Fri, 11 Apr 2008 11:30:58 EDT Securing .bash_history http://www.dslreports.com/forum/remark,20317535 evilghost : The SSH honeypot detected an actual human user, the first command they ran was "unset HISTFILE" which will unset the environment variable for the location of the bash history file. While this is a quite old technique evidently this is the first time I had seen it.

In an effort to educate others I'm creating this topic and providing methods to mitigate this.

To prevent this you can edit /etc/profile and set these variables as read-only. If you're using an ext filesystem you can also chattr .bash_history so it can only be opened in append mode; preventing users from erasing/clobbering the file.

]]> http://www.dslreports.com/forum/remark,20317535 Fri, 11 Apr 2008 11:14:56 EDT