LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Is there a way to prevent users from changing or unset their HISTFILE variable?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2010, 03:08 PM   #1
SnakerDLK
LQ Newbie
 
Registered: Jul 2007
Posts: 9

Rep: Reputation: Disabled
Is there a way to prevent users from changing or unset their HISTFILE variable?

'readonly HISTFILE'

but the user could tamper with the histfile itself. Like:
rm -f $HISTFILE;
rm -f $HISTFILE; mkdir $HISTFILE;
rm -f $HISTFILE; ln -s /dev/null $HISTFILE;

I'm experimenting with PROMPT_COMMAND to execute a command each time the user executes a command and so log it somewhere else...


//This post was pruned from the 2009 Is there a way to prevent users from changing or unset their HISTFILE variable? thread. Please do not resurrect old threads but instead create your own (and maybe provide a link to the old one).
Last edited by unSpawn; 09-30-2010 at 04:14 PM.
 
Old 10-01-2010, 09:20 AM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Bookworm (Fluxbox WM)
Posts: 1,391
Blog Entries: 53

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
No you can't prevent this, because it isn't intended to be an audit device (they can just unset the variable). And unless you severely limit them, they could easily run an alternate shell anyway.

If you want to audit them properly, use a package like acct/psacct.
Last edited by neonsignal; 10-01-2010 at 09:22 AM.
 
1 members found this post helpful.
Old 10-02-2010, 03:35 PM   #3
SnakerDLK
LQ Newbie
 
Registered: Jul 2007
Posts: 9

Original Poster
Rep: Reputation: Disabled
Actually that was not a real question,
I was just answering and old open thread.

The problem with psacct is that I dont care which process the user ran or how much memory or cpu it consumed but WHAT the process did. The difference between rm -fr ~/* and rm -fr /*.


LD_PRELOAD does this more or less, and if the user opens an alternate shell I will see it in the history and know he did something suspicious.

I tried pam_tty_audit, but did not get very far. I could only get it to log logins, not commands.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
prevent users from changing their password ? sulekha Linux - Security 9 07-24-2010 09:38 PM
how to disable unset HISTORY HISTFILE and etc. mrowcp Linux - Software 4 09-18-2009 03:16 PM
Is there a way to prevent users from changing or unset their HISTFILE variable? abefroman Linux - Security 7 09-13-2009 11:41 AM
unset export variable mira.mikes Linux - Desktop 4 03-17-2009 02:31 AM
how do i prevent windows users from changing the share permission? m2azer Linux - Networking 2 01-15-2007 10:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:37 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration