[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] encrypt the bash history



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/11 16:36, Erik Falor wrote:
> On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/04/11 16:13, Valdis.Kletnieks@xxxxxx wrote:
>>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
>>>> what is the best way to encrypt the bash_history file?
>>>> I try using crypt/decrypt with GPG when login/logout. It works, but not
>>>> safe enough.
>>>
>>> Explain what the threat model is, and why GPG isn't safe enough?  It's kind 
>>> of
>>> hard to recommend "best" when we don't understand what the criteria are...
>>>
>>
>> The "way" is not safe enough. root can login as me (su - user) and
>> bash_history will be decrypted. I try to find any better way to crypt
>> and make unreadable the bash_history file from any other users,
>> including root.
> 
> Not to mention the fact that your .bash_history file is unencrypted
> the entire time you're logged in. 

This is the problem on my "way" to protect/crypt the bash_history.

 A better alternative, if you're
> that anxious about your shell history falling into the wrong hands, is
> to disable it entirely:
> 
> unset HISTFILE
> HISTSIZE=0
> 
> You can also tell bash to not record commands that begin with a space:
> HISTCONTROL=ignorespace
> 
> More fine-grained control can be achieved with the HISTIGNORE
> variable.  See the 'Shell Variables' section of the bash(1) manpage.
> 
> Finally, I wrote these functions to toggle history recording on/off
> in a shell.  I like how this works, when I remember to run it beforehand:
> 
> # turn off history recording
> function offtherecord()
> {
>     if [[ -n "$HISTFILE" ]]; then
>         OLDHISTFILE=$HISTFILE
>         unset HISTFILE
>     fi
>     if [[ -n "$HISTSIZE" ]]; then
>         OLDHISTSIZE=$HISTSIZE
>         HISTSIZE=0
>     fi
> }
> 
> # turn on history recording
> function ontherecord()
> {
>     if [[ -n "$OLDHISTFILE" ]]; then
>         HISTFILE=$OLDHISTFILE
>         unset OLDHISTFILE
>     fi
>     if [[ -n "$HISTSIZE" ]]; then
>         HISTSIZE=$OLDHISTSIZE
>         unset OLDHISTSIZE
>     fi
> }
> 
> Once you've run offtherecord, you lose all of your history for that shell 
> until
> you log back in.
> 

Nice tip, but this solution doesn't work for me. I don't wanna avoid
logging commands nor delete the bash history nor hide the commands. I
wanna "encrypt" the file. I don't wanna miss commands which I executed.

Another solution may be copy and move the history file from the server
to the client, saving the bash_history on client side. But ... this will
not work if I connect using client as putty.


thanks for the asnwer,



- -- 
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
=OVc7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/