| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 06 Feb 2011 10:17:15 -0400
From: Emanuel dos Reis Rodrigues <emanueldosreis@...il.com>
To: Peter Maxwell <peter@...icient.co.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: encrypt the bash history
I agree with Peter, if you control the root user ... the bash history
is the minnor problem ...
Emanuel dos Reis Rodrigues
Senior Level Linux Professional (LPIC-3)
LPI 302 (Mixed Environment) Specialty
LPI 304 (Virtualization and High Availability) Specialty
C|EH Certified Ethical Hacker
CompTIA Security+ Certified
http://br.linkedin.com/in/emanuelreis
t:@emanueldosreis
emanueldosreis(No*SpAm)gmail.com
Mobile: +55 95 8112-9628
Peter Maxwell wrote:
>
> To be honest, none of these methods will actually be effective: root
> can do what he/she likes, including monitoring *everything* you do.
> Worrying about shell history is not going to solve anything.
>
> Your only choices are to trust root, or setup your own host.
>
> Peter Maxwell
>
>
> On 6 February 2011 11:21, Zerial. <fernando@...ial.org
> <mailto:fernando@...ial.org>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/04/11 16:36, Erik Falor wrote:
> > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 02/04/11 16:13, Valdis.Kletnieks@...edu
> <mailto:Valdis.Kletnieks@...edu> wrote:
> >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >>>> what is the best way to encrypt the bash_history file?
> >>>> I try using crypt/decrypt with GPG when login/logout. It
> works, but not
> >>>> safe enough.
> >>>
> >>> Explain what the threat model is, and why GPG isn't safe
> enough? It's kind of
> >>> hard to recommend "best" when we don't understand what the
> criteria are...
> >>>
> >>
> >> The "way" is not safe enough. root can login as me (su - user) and
> >> bash_history will be decrypted. I try to find any better way to
> crypt
> >> and make unreadable the bash_history file from any other users,
> >> including root.
> >
> > Not to mention the fact that your .bash_history file is unencrypted
> > the entire time you're logged in.
>
> This is the problem on my "way" to protect/crypt the bash_history.
>
> A better alternative, if you're
> > that anxious about your shell history falling into the wrong
> hands, is
> > to disable it entirely:
> >
> > unset HISTFILE
> > HISTSIZE=0
> >
> > You can also tell bash to not record commands that begin with a
> space:
> > HISTCONTROL=ignorespace
> >
> > More fine-grained control can be achieved with the HISTIGNORE
> > variable. See the 'Shell Variables' section of the bash(1) manpage.
> >
> > Finally, I wrote these functions to toggle history recording on/off
> > in a shell. I like how this works, when I remember to run it
> beforehand:
> >
> > # turn off history recording
> > function offtherecord()
> > {
> > if [[ -n "$HISTFILE" ]]; then
> > OLDHISTFILE=$HISTFILE
> > unset HISTFILE
> > fi
> > if [[ -n "$HISTSIZE" ]]; then
> > OLDHISTSIZE=$HISTSIZE
> > HISTSIZE=0
> > fi
> > }
> >
> > # turn on history recording
> > function ontherecord()
> > {
> > if [[ -n "$OLDHISTFILE" ]]; then
> > HISTFILE=$OLDHISTFILE
> > unset OLDHISTFILE
> > fi
> > if [[ -n "$HISTSIZE" ]]; then
> > HISTSIZE=$OLDHISTSIZE
> > unset OLDHISTSIZE
> > fi
> > }
> >
> > Once you've run offtherecord, you lose all of your history for
> that shell until
> > you log back in.
> >
>
> Nice tip, but this solution doesn't work for me. I don't wanna avoid
> logging commands nor delete the bash history nor hide the commands. I
> wanna "encrypt" the file. I don't wanna miss commands which I
> executed.
>
> Another solution may be copy and move the history file from the server
> to the client, saving the bash_history on client side. But ...
> this will
> not work if I connect using client as putty.
>
>
> thanks for the asnwer,
>
>
>
> - --
> Zerial
> Seguridad Informatica
> GNU/Linux User #382319
> Blog: http://blog.zerial.org
> Jabber: zerial@...beres.org <mailto:zerial@...beres.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
> JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
> =OVc7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists