Hacking Bash History
[==============================================================================]
[---------------------------[ Hacking Bash History ]—————————]
[==============================================================================]
By: ithilgore – ithilgore.ryu.L@gmail.com
July 2008
————-[ Table of Contents ]————-
i. Preface
ii. Hardening bash_history
iii. Attacking the logging mechanism
iv. Hacking bash – interfacing with syslog
v. Conclusion
vi. References
[ i. Preface ]
==============
Bash is probably the most widely used shell in the *nix world and one of it’s
features is the history mechanism. The history mechanism is mainly used for the
user’s convenience – less typing -> work done faster. However, it has been
discussed that bash_history can also be used as a logging mechanism to monitor
users’ activity. This article covers the arguments against the above and why the
mechanism is useless against someone who thinks out of the box. We are going
to see that every defensive measure taken for protecting the history file can
be subverted with little or no difficulty. The discussion will be increasive
in the strictness of the methods applied but that doesn’t meant they will be
increasingly difficult to implement. Most of them are no-brainers. In the end,
we are going to meddle with the bash source code to make the logging mechanism
(at first sight) “invincible” and we are going to see why even that can fail.
[ ii. Hardening bash_history ]
==============================
Suppose you are an administrator of a shell-providing box and there is a really
pesky user whose activities you would like to monitor, since you are really
suspicious about what he does late at night with the precious CPU power and
system resources that you have pledged to protect against malicious (or other)
usage. Let’s call the user Bob – enough of using Trinity as the “bad” one all
the time. Since all users use bash as their default shell in the server, you
start making a few changes to the bash configuration files.
// Step 1 //
– Make the bash history and relevant files undeletable/unchangeable.
The first thing Bob would probably do would be to symlink his history to
/dev/null.
阅读全文…