[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] encrypt the bash history
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] encrypt the bash history
- From: "Zerial." <fernando@xxxxxxxxxx>
- Date: Sun, 06 Feb 2011 08:21:17 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/11 16:36, Erik Falor wrote:
> On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/04/11 16:13, Valdis.Kletnieks@xxxxxx wrote:
>>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
>>>> what is the best way to encrypt the bash_history file?
>>>> I try using crypt/decrypt with GPG when login/logout. It works, but not
>>>> safe enough.
>>>
>>> Explain what the threat model is, and why GPG isn't safe enough? It's kind
>>> of
>>> hard to recommend "best" when we don't understand what the criteria are...
>>>
>>
>> The "way" is not safe enough. root can login as me (su - user) and
>> bash_history will be decrypted. I try to find any better way to crypt
>> and make unreadable the bash_history file from any other users,
>> including root.
>
> Not to mention the fact that your .bash_history file is unencrypted
> the entire time you're logged in.
This is the problem on my "way" to protect/crypt the bash_history.
A better alternative, if you're
> that anxious about your shell history falling into the wrong hands, is
> to disable it entirely:
>
> unset HISTFILE
> HISTSIZE=0
>
> You can also tell bash to not record commands that begin with a space:
> HISTCONTROL=ignorespace
>
> More fine-grained control can be achieved with the HISTIGNORE
> variable. See the 'Shell Variables' section of the bash(1) manpage.
>
> Finally, I wrote these functions to toggle history recording on/off
> in a shell. I like how this works, when I remember to run it beforehand:
>
> # turn off history recording
> function offtherecord()
> {
> if [[ -n "$HISTFILE" ]]; then
> OLDHISTFILE=$HISTFILE
> unset HISTFILE
> fi
> if [[ -n "$HISTSIZE" ]]; then
> OLDHISTSIZE=$HISTSIZE
> HISTSIZE=0
> fi
> }
>
> # turn on history recording
> function ontherecord()
> {
> if [[ -n "$OLDHISTFILE" ]]; then
> HISTFILE=$OLDHISTFILE
> unset OLDHISTFILE
> fi
> if [[ -n "$HISTSIZE" ]]; then
> HISTSIZE=$OLDHISTSIZE
> unset OLDHISTSIZE
> fi
> }
>
> Once you've run offtherecord, you lose all of your history for that shell
> until
> you log back in.
>
Nice tip, but this solution doesn't work for me. I don't wanna avoid
logging commands nor delete the bash history nor hide the commands. I
wanna "encrypt" the file. I don't wanna miss commands which I executed.
Another solution may be copy and move the history file from the server
to the client, saving the bash_history on client side. But ... this will
not work if I connect using client as putty.
thanks for the asnwer,
- --
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
=OVc7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/