HPE Community
Operating System - HP-UX
1836314 Members
2963 Online
110100 Solutions
New Discussion

Sudo approach to HIST file

 
SOLVED
Go to solution
MohitAnchlia
Frequent Advisor

‎09-11-2006 05:27 AM

‎09-11-2006 05:27 AM

Sudo approach to HIST file

In one of my earlier posts for auditing user sessions, somebody suggested following:

"You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea"

Could somebody help me understand how can I do what has been suggested.
0 Kudos
Reply
12 REPLIES 12
Jaime Bolanos Rojas.
Honored Contributor

‎09-11-2006 05:45 AM

‎09-11-2006 05:45 AM

Re: Sudo approach to HIST file

MohitAnchlia!

When using sudo, you can tell which users can executed or have privileges under what, it also keeps a track of the actions performed by that user.

For more information regarding sudo, the oficial page is better:

http://www.gratisoft.us/sudo/

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
MohitAnchlia
Frequent Advisor

‎09-11-2006 06:15 AM

‎09-11-2006 06:15 AM

Re: Sudo approach to HIST file

Putting it in my context could you please give me an example. I looked at the manual and it looks like you can just specify commands that user can run as super user.
But how does it solve my history file problem
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎09-11-2006 06:26 AM

‎09-11-2006 06:26 AM

Solution

Re: Sudo approach to HIST file

I am not sure who said that sudo approach to the history file but in the context it was used, it is not the right suggestion. A user's history file should be writable by the user and only the user to accumulate the commands he/she executes for future recall. If you yank the write privilege from the user himself, how is his shell be able to write to it ?

The meaning would be somehow different but I can not think of one off the top of my head.
________________________________
UNIX because I majored in cryptology...
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎09-11-2006 06:34 AM

‎09-11-2006 06:34 AM

Re: Sudo approach to HIST file

MohitAnchlia,

This old thread talks exactly the same that Spex was talking before.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=20355&admit=-682735245+1157999042402+28353475

Probably. The only thing that people wanted was to protect the history somehow.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎09-11-2006 06:50 AM

‎09-11-2006 06:50 AM

Re: Sudo approach to HIST file

Hi:

I agree with Mel. If I (my shell) can write to its history file, then I (as a user of the shell) can simply truncate (> .sh_history) if I want to obliterate my history.

Regards!

...JRF...
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎09-11-2006 07:14 AM

‎09-11-2006 07:14 AM

Re: Sudo approach to HIST file

very cpu intensive and disk utilization heavy way of doing this, while logged in as root or equivalent

before starting the procedure,

for home in `cat /etc/passwd | awk {'print $6'}`
do
if [ -a ${home}/.sh_history ]
then
cp ${home}/.sh_history ${home}/.sh_history.sav

else
touch ${home}/.sh_history.sav

fi
chmod 400 ${home}/.sh_history.sav
done

while true
do

for home in `cat /etc/passwd | awk {'print $6'}`
do
if [ -a ${home}/.sh_history ]
then
histsize=`cat ${home}/.sh_history | wc -c`
savhistsize=`cat ${home}/.sh_history.sav | wc -c`

if [ ${histsize} -ne ${savhistsize} ]
then
cp $home/.sh_history.sav .sh_history.sav.`date | sed -e "1,1s/ //g"`
cp ${home}/.sh_history ${home}/.sh_history.sav
fi
done # done executing the for loop

sleep 30 # wait 30 seconds or adjust according to your desires

sone #done executing while loop


include
BEWARE : This is a concept. it has not been tested for neither syntax, nor logic. If you are planning to use it, test on a small set of data. In case it works, accumulation of history file logs may cripple your system and heavy looping may cost you a very bad performance penalty.
________________________________
UNIX because I majored in cryptology...
Reply
spex
Honored Contributor

‎09-11-2006 07:36 AM

‎09-11-2006 07:36 AM

Re: Sudo approach to HIST file

Hi,

When I made that statement, I was suggesting a sudo-like approprach of preventing direct access to .sh_history (sh & ksh) and .history (csh). I wasn't implying that using sudo is the way to accomplish this.

Notice how user1's command history continues to be recorded even after .sh_history gets mode 400:

$ whoami
user1
$ pwd
/home/user1
$ ls -al | awk '{print $1,$3,$9}'
total
drwxr-xr-x . user1
drwxrwxrwx .. root
-rw------- user1 .Xauthority
-rw------- user1 .sh_history
$ echo "uno dos tres"
uno dos tres
$ tail -2 .sh_history
echo "uno dos tres"
tail -2 .sh_history
$ chmod u-w .sh_history
$ ls -al | awk '{print $1,$3,$9}'
total
drwxr-xr-x . user1
drwxrwxrwx .. root
-rw------- user1 .Xauthority
-r-------- user1 .sh_history
$ echo "cuatro cinco seis"
cuatro cinco seis
$ tail -2 .sh_history
echo "cuatro cinco seis"
tail -2 .sh_history

In fact, history is still recorded even after .sh_history gets a new owner and group:

$ chown root:root .sh_history
$ cat .sh_history
cat: Cannot open .sh_history: Permission denied

As root:

# tail -2 ~user1/.sh_history
chown root:root .sh_history
cat .sh_history

However, user1 can still delete .sh_history:

$ rm .sh_history
.sh_history: 400 mode ? (y/n) y
$ ls -al | awk '{print $1,$3,$9}'
total
drwxr-xr-x user1 .
drwxrwxrwx root ..
-rw------- user1 .Xauthority

so it's not a perfect solution.

PCS
Reply
MohitAnchlia
Frequent Advisor

‎09-11-2006 11:21 AM

‎09-11-2006 11:21 AM

Re: Sudo approach to HIST file

So except turning the server to trusted mode there is no other way to track User commands ?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-11-2006 01:14 PM

‎09-11-2006 01:14 PM

Re: Sudo approach to HIST file

Shalom,

It is NOT necessary to go to trusted mode to track user commands.

Merely setting the HISTFILE variable to a non-nfs location in the user profile will track user commands.

Note that a smart user can obliterate his .sh_history file. I know of some schemes were a cron job sweeps all of the .sh_history files to a backup location so that discrepencies can be spotted.

To prevent endless history files, set the HISTSIZE variable.

Also, since you are a new user to ITRC, let me inform you that if any of the answeres here were of assistance, that you are encouraged to assign points to those answers.

Regards,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
MohitAnchlia
Frequent Advisor

‎09-13-2006 07:06 AM

‎09-13-2006 07:06 AM

Re: Sudo approach to HIST file

Could you please elaborate little more on setting HISTFILE to non-nfs location. How do I do this and how will it help?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-13-2006 07:16 AM

‎09-13-2006 07:16 AM

Re: Sudo approach to HIST file

An example for non-nfs history file - in /etc/profile:

HISTFILE=/tmp/.sh_history.$(whoami)
export HISTFILE

Note the location refers locally rather than to some NFS mounted locale like "HISTFILE=/nfs/srvr1/home/user_name".


Pete

Pete
0 Kudos
Reply
spex
Honored Contributor

‎09-13-2006 07:20 AM

‎09-13-2006 07:20 AM

Re: Sudo approach to HIST file

In ~user/.profile:

HISTFILE=/tmp/.sh_history.${USER}.${$}
export HISTFILE

Doing this only makes $HISTFILE more difficult to find for the user. It does not prevent him/her from altering/deleting it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.