Re: [Full-disclosure] encrypt the bash history

[Peter Maxwell <peter@xxxxxxxxxxxxxxx>]

To be honest, none of these methods will actually be effective: root can do
what he/she likes, including monitoring *everything* you do.  Worrying about
shell history is not going to solve anything.

Your only choices are to trust root, or setup your own host.

Peter Maxwell


On 6 February 2011 11:21, Zerial. <fernando@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/04/11 16:36, Erik Falor wrote:
> > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 02/04/11 16:13, Valdis.Kletnieks@xxxxxx wrote:
> >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >>>> what is the best way to encrypt the bash_history file?
> >>>> I try using crypt/decrypt with GPG when login/logout. It works, but
> not
> >>>> safe enough.
> >>>
> >>> Explain what the threat model is, and why GPG isn't safe enough?  It's
> kind of
> >>> hard to recommend "best" when we don't understand what the criteria
> are...
> >>>
> >>
> >> The "way" is not safe enough. root can login as me (su - user) and
> >> bash_history will be decrypted. I try to find any better way to crypt
> >> and make unreadable the bash_history file from any other users,
> >> including root.
> >
> > Not to mention the fact that your .bash_history file is unencrypted
> > the entire time you're logged in.
>
> This is the problem on my "way" to protect/crypt the bash_history.
>
>  A better alternative, if you're
> > that anxious about your shell history falling into the wrong hands, is
> > to disable it entirely:
> >
> > unset HISTFILE
> > HISTSIZE=0
> >
> > You can also tell bash to not record commands that begin with a space:
> > HISTCONTROL=ignorespace
> >
> > More fine-grained control can be achieved with the HISTIGNORE
> > variable.  See the 'Shell Variables' section of the bash(1) manpage.
> >
> > Finally, I wrote these functions to toggle history recording on/off
> > in a shell.  I like how this works, when I remember to run it beforehand:
> >
> > # turn off history recording
> > function offtherecord()
> > {
> >     if [[ -n "$HISTFILE" ]]; then
> >         OLDHISTFILE=$HISTFILE
> >         unset HISTFILE
> >     fi
> >     if [[ -n "$HISTSIZE" ]]; then
> >         OLDHISTSIZE=$HISTSIZE
> >         HISTSIZE=0
> >     fi
> > }
> >
> > # turn on history recording
> > function ontherecord()
> > {
> >     if [[ -n "$OLDHISTFILE" ]]; then
> >         HISTFILE=$OLDHISTFILE
> >         unset OLDHISTFILE
> >     fi
> >     if [[ -n "$HISTSIZE" ]]; then
> >         HISTSIZE=$OLDHISTSIZE
> >         unset OLDHISTSIZE
> >     fi
> > }
> >
> > Once you've run offtherecord, you lose all of your history for that shell
> until
> > you log back in.
> >
>
> Nice tip, but this solution doesn't work for me. I don't wanna avoid
> logging commands nor delete the bash history nor hide the commands. I
> wanna "encrypt" the file. I don't wanna miss commands which I executed.
>
> Another solution may be copy and move the history file from the server
> to the client, saving the bash_history on client side. But ... this will
> not work if I connect using client as putty.
>
>
> thanks for the asnwer,
>
>
>
> - --
> Zerial
> Seguridad Informatica
> GNU/Linux User #382319
> Blog: http://blog.zerial.org
> Jabber: zerial@xxxxxxxxxxxx
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
> JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
> =OVc7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/