Classnotes | UNIX03 | RecentChanges | Preferences No diff available--this is the first major revision.
(no other diffs)Recall that all of the commands that a given user (including root) executes go into the associated shell's "history" file. For Bash, that history file is .bash_history. Let's take a look at what might be inside of a .bash_history file for root:
cd conf
ls
diff httpd.conf httpd.conf.rpmnew
cdrecord -v speed=48 dev=0,0,0 -data dcom.iso
cat /etc/shadow | grep fred
ldapmodify - D "cn=admin" -w l33t -x -a -f added.ldif
We can see a step by step replay of what root had been doing. We see that there was some comparison of two different httpd.conf files, there was a CD that was burned... And what's this? An ldapmodify complete with password! (The "-w" option allows one to specify a password, here our password is "l33t").
As you can imagine, this file may contain rather sensitive information. So, naturally, you'd want it to be as secure as possible. This fille should have something akin to the following:
Also, this permission setting should be applied as non-administrative users as well. Let's suppose for a second that a user "bob" had his .bash_history set as follows:
-rw-rw---- 1 bob users 17164 Sep 24 07:47 .bash_history
What is wrong with this setting?
You should also periodically check root's .bash_history file for strange entries that you do not remember issuing. Always be suspect of entries which could indicating a cracking attempt (such as the veiwing of /etc/shadow above).
As long as you use your root's access sparingly, then you should be able to keep track of those commands that you did and did not do.