Securing user command line logging.
Posted on January 3rd, 2009
Keeping logs of user activity is sometimes important. Here is a method of locking down ways of escaping from command line logging in bash. This can be done in a few simple steps as followed:
add the following to the bottom of your /etc/profile script.
readonly HISTFILE
next you need to remove the suid bit of “chsh” this stops users from changing their shell type to one with different ways to escape from logging. To do this do the following as root:
chmod -s $( which chsh )
now we remove all the unwanted shell types. /etc/shells should only contain
/bin/bash
bash-3.1$ cat /etc/shells
/bin/bash
Check users in /etc/passwd and change all users who are using alternative shell types to /bin/bash. i suggest using the chsh command to do this. for example:
chsh -s /bin/bash user
we need to a fairly boring manual task depending on your scripting ability. every user who uses bash produces a .bash_history file in their user folder. users who have been using alternative shells will not have this file already.
The following commands are to secure a .bash_history file for one user, scripting a loop of some kind to deal with large amounts of users shouldn’t be too much work. modifying the ‘adduser’ command to automatically do these commands when you add a user or a daily contrab script to enforce permissions. as root:
touch /home/user/.bash_history
chown user:root /home/user/.bash_history
chmod 600 /home/user/.bash_history
chattr +a /home/user/.bash_history
What have we done? Well, we’ve;
1) made a blank file called .bash_history
2) made it owned by the user who will log to it
3) change permissions to read/write for user “user”
4) only allowed appending changes to .bash_history
5) in /etc/profile we’ve disabled the ability to unset the log file.
Thanks,
Ash Palmer
Network Security Logistics