These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Watching Bash

Classnotes | UNIX03 | RecentChanges | Preferences

No diff available--this is the first major revision. (no other diffs)
Recall that all of the commands that a given user (including root) executes go into the associated shell's "history" file. For Bash, that history file is .bash_history. Let's take a look at what might be inside of a .bash_history file for root:

 cd conf
 ls
 diff httpd.conf httpd.conf.rpmnew
 cdrecord -v speed=48 dev=0,0,0 -data dcom.iso
 cat /etc/shadow | grep fred
 ldapmodify - D "cn=admin" -w l33t -x -a -f added.ldif

We can see a step by step replay of what root had been doing. We see that there was some comparison of two different httpd.conf files, there was a CD that was burned... And what's this? An ldapmodify complete with password! (The "-w" option allows one to specify a password, here our password is "l33t").

As you can imagine, this file may contain rather sensitive information. So, naturally, you'd want it to be as secure as possible. This fille should have something akin to the following:

 -rw-------  1 root   root   17164 Sep 24 07:47 .bash_history

Also, this permission setting should be applied as non-administrative users as well. Let's suppose for a second that a user "bob" had his .bash_history set as follows:

 -rw-rw----  1 bob   users   17164 Sep 24 07:47 .bash_history

What is wrong with this setting?

You should also periodically check root's .bash_history file for strange entries that you do not remember issuing. Always be suspect of entries which could indicating a cracking attempt (such as the veiwing of /etc/shadow above).

As long as you use your root's access sparingly, then you should be able to keep track of those commands that you did and did not do.



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 25, 2003 12:07 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.