Re: Deneing use of HISTFILE variable to normal user

Chandrahasa s · ‎08-10-2010

HI Gurus,

I have created user auditing using History.
I have put this script in /etc/profile

but normal user can change path of this history file uisng HISTFILE variable.
I want to denie use of HISTFILE variable to normal user kindly help on this.

Chandra

Torsten. · ‎08-10-2010

Audit based on histfile sounds like a poor mans solution. If I really want, you will never know what I did based on such file. Why not using the HP-UX Auditing System?

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Chandrahasa s · ‎08-10-2010

Thanks for reply,

Will hpux auditing help following way:

a)Each command typed by each user (including root)need to be logged on file
b)There should be a time stamp of each command.

If yes kindly provide required documents it will be more help ful me.

Thanks in advance..
Chandra

rariasn · ‎08-11-2010

Hi Chandra:

Define in /etc/profile:

readonly HISTFILE=$HOME/.file_hist

rgs,

Dennis Handly · ‎08-11-2010

>rariasn: readonly HISTFILE=$HOME/.file_hist

This isn't foolproof.

Chandrahasa s · ‎08-11-2010

HI,

what is the mean of this"This isn't foolproof"

Chandra

Steven Schweda · ‎08-11-2010

> what is the mean of this"This isn't
> foolproof"

What stops a user from deleting or editing
his own HISTFILE?

> I have created user auditing using History.

No, you've created something which _pretends_
to be user auditing, but which any user can
evade or deceive.

If you need auditing, then why not use _real_
auditing? What good is using
pseudo-auditing, when you can't trust the
audit? If you don't care if the auditing is
accurate, then why bother doing anything?

rariasn · ‎08-11-2010

Hi Chandra:

The text of the last HISTSIZE (default 128) commands entered from a terminal device is saved in a history file. The file $HOME/.sh_history is used if the HISTFILE variable is not set or writable.

The user can edit the history and modify.

rgs,

Chandrahasa s · ‎08-12-2010

HI,

Periodically (in minuts)coping user history file to central location can avoid deletion audit log from user for some extend.

Steeven::I do agree your comment but something is better then nothing.
do you have any other alternate for this(user audit)which should be a product of hp or open source one.

Chandra

nightwich · ‎08-12-2010

Hi ..

You can use a audit system. In the past this only can be used in a trusted system. Althought today's you can use it installing a bundle.

Check the link: http://docs.hp.com/en/5991-1101/ch08s03.html

Regards.

Bill Hassell · ‎08-12-2010

Because the history file must be writable by the user, the contents can be changed at any time by the user. Apparently you have untrustworthy users that try to hide their mistakes. There is very little you can do except to make a copy of the history files every few hours. Then when problem is discovered, go through all the history files.

However, ordinary users have very little power to damage the system -- only root can do this. DO NOT use su for extending root privileges. Instead, download sudo from HP and configure the sudoers file to restrict each user. Now you'll have a log of what was attempted and what was done as root.

Bill Hassell, sysadmin

Steven Schweda · ‎08-12-2010

> [...] but something is better then nothing.

Is trusting something which can't be trusted
really better than nothing?

> do you have any other alternate [...]

Did you try a Web (or Forum) search for
keywords like, say:

hp-ux audit

?

Dennis Handly · ‎08-12-2010

>what is the mean of this "This isn't foolproof"

Readonly shell variables aren't perfect. Clever uses of subshells and programs can defeat it.

Torsten. · ‎08-12-2010

A user may consider to execute a script and delete it after execution or run another shell like csh, bash, tclsh or something else.
Your HISTFILE will probably not tell you what the user did in detail ...

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Chandrahasa s · ‎08-13-2010

Hi,
Thanks fo reply for all,

Dennis and Torston i agree with your comment,
I have gone through all possible way to get solution on User audit,but i didnt find any best solution,powerbroker and centrify solution are full fill these need but they charge huge,is there any solution either hp product or open sourceed one.

Chandra

Bill Hassell · ‎08-13-2010

Another alternative is to simply take away shell login for these users and replace their shell with a menu script. The script would have a list of possible tasks which you control. That coupled with sudo gives you a free solution.

Bill Hassell, sysadmin

Horia Chirculescu · ‎08-13-2010

>replace their shell with a menu script

Anyone remembers the old BBS system? (In the early 1995 or so... - using modem/Dial-Up connections)

Used to setup some of those. Golden ages... :-)

Best regards,
Horia.

Best regards from Romania,
Horia.

Chandrahasa s · ‎08-14-2010

looks no one have proper answer..........

Any how thanks to all.............

Chandra

Steven Schweda · ‎08-18-2010

> looks no one have proper answer..........

Perhaps you're asking the wrong question.

Chandrahasa s · ‎08-18-2010

Hi ,

If some body don't have answer better to keep silent rather misguiding authors,

Chandra

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Deneing use of HISTFILE variable to normal user

Deneing use of HISTFILE variable to normal user