Tracking people’s history

| linux

FROM http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

4.10.9 Hand-made user auditing

If you are paranoid you might want to add a system-wide /etc/profile
that sets the environment in a way such that they cannot remove audit
capabilities from the shell (commands are dumped to $HISTFILE. The
/etc/profile could be set as follows:

       HISTFILE=~/.bash_history
       HISTSIZE=100000000000000000
       HISTFILESIZE=10000000000000000
       readonly HISTFILE
       readonly HISTSIZE
       readonly HISTFILESIZE
       export HISTFILE HISTSIZE HISTFILESIZE
You can view 1 comment or e-mail me at sacha@sachachua.com.

1 comment

Breeze

2008-03-25T22:05:36Z

Well that's a good idea, but:
The user owns his "~/.bashrc" or has to have at least write access to append to the history.
So the user can easily avoid auditing by removing a few commands from in between the history, and you'd not even know, because the file changes anyway.

And "HISTCONTROL=ignorespace" is maybe set also, so a command beginning with a space won't show up in the history at all.

But still a good idea, if the users don't know where to look or are too lazy ;)

- Breeze

More posts about linux