November 2nd, 2003, 05:32 PM
Ok, I was trying to restrict a user from editing the .bash_history file so I did a chown and chgrp to root. There was a problem here though. The file wasn't being updated after this due to the permissions. Then I changed the owner back to the user and set privileges to just be able to write and not read. It still will not update the file. I am assuming that the user must have read write access to the file for it to be updated at every logon. So my question is, how do you keep a user from changing the .bash_history file?
November 2nd, 2003, 06:06 PM
I expect the answer is that you can't stop them editing it if you still want it to be usable, because the users shell has to be able to change it in order to store the comand history. If you are trying to log what your users are doing I am sure there are better ways.
November 2nd, 2003, 06:50 PM
I'm still learning this stuff so please bear with me. I'm woundering why you want to restrict the access....I'm sure restricting it from oh say outside sources would be a good idea (Xchat says something about the bash_history when you set it to auto except files from other people.
If your woundering about keeping the root account safe just login normally and dont su threw a shell....but I would think that it wouldn't keep the root passwd in plane txt in the bash_history. I dont know sorry if this isnt helpfull, but Im trying over here
The internet, not just for stalkers and pervs, but for computer geeks too!
November 2nd, 2003, 06:56 PM
That's not what I'm worried about. I just don't want a user to do illegal stuff with an account and then easily be able to change the .bash_history file. It doesn't show any password entering or anything like that. If I typed su only that would show up in the .bash_history file. nothing else related to the command would show up. I'm pretty sure that you can make it to where a user cannot change this file. I just want to know how? That way if someone doing something on the computer does something bad and someone comes knocking on my door. I just print out the .bash_history file and the ssh log file to show them that this person was logged on at the time of the incident and they were using some weird commands. I'm sure that there are other logging features that produce the same info but I just don't want the .bash_history file being modified by the user it is giving the history of.
November 2nd, 2003, 07:11 PM
Why not have a duplicate of the .bash_history being sent elsewhere? or use a bash shell that records items (see http://www.honeynet.org tools/resource section).
November 2nd, 2003, 07:28 PM
MsMittens I believe has the best suggestion so far, make duplicates of the file...
Since you obviously would want it tracked between changes etc... Do something like create a shell script that makes a copy of the file followed by the date and time as an extention - ergo something that would result in a copy named:
When its 11/01/03 at 10:54:43 am...
and then setup a cron job to run the that script how ever often you want it to run.
Then just go through that directory from time to time and run 'diff' command between the files and delete any that had no changes to it between runs, as they would be unneeded and wasting space...
November 2nd, 2003, 07:40 PM
Thank you very much MsM and bpiedlow. I think that will definetly work, I will just have to do a little research.
November 2nd, 2003, 08:22 PM
You can also discourage changes by strict policy guide lines. Do as MsMittens says and store a copy in a dir owned by root. If changes are made to (just write a little script to compare the two using diff)the file.... BAN the user.
November 3rd, 2003, 12:05 AM
Yes, Like msmittens said put it in a directory owned by root.. Also to thwart the kiddies you can chattr +a the file...
"Serenity is not the absence of conflict, but the ability to cope with it."