freebsd security - Mar 2020 - root .history

You could set a higher securelevel and use system flags like:
chflags sappnd .history
Which will prevent it from being erased and only allow appending.

On Tue, 31 Mar 2020 at 10:59, el kalin <kalin at el.net> wrote:
> hi all...
>
> noticed that over night the shell .history file for root was emptied. the
> file is there but there is no history in it. this is unusual and it's
the
> second time it happens in 2 months. it's particularly peculiar since
nobody
> else has the root password for this machine. i can't see any ssh access
in
> auth.log and ssh access is limited to a handful of ips...  how could i
> figure out what is emptying the .history file?
>
> thanks...
>
> also, the .cshrc looks like this:
>
>     set promptchars = "%#"
>
>         set filec
>         set history = 1000
>         set savehist = (1000 merge)
>         set autolist = ambiguous
>         # Use history to aid expansion
>         set autoexpand
>         set autorehash
>         set mail = (/var/mail/$USER)
>         if ( $?tcsh ) then
>                 bindkey "^W" backward-delete-word
>                 bindkey -k up history-search-backward
>                 bindkey -k down history-search-forward
>         endif
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
> "
>

Seems a little extreme, you could check other users .cshrc .tcshrc flies and see
if there is a builtin mech for (history -c) in a trap or otherwise that might
explain it.

If root history is a concern, audit should probably setup on that system if it
runs that deep in the infrastructure before evaluating a secure level and
chflags.



> On Mar 31, 2020, at 13:09, Selphie Keller <selphie.keller at
gmail.com> wrote:
> 
> You could set a higher securelevel and use system flags like:
> chflags sappnd .history
> Which will prevent it from being erased and only allow appending.
> 
> On Tue, 31 Mar 2020 at 10:59, el kalin <kalin at el.net> wrote:
> 
>> hi all...
>> 
>> noticed that over night the shell .history file for root was emptied.
the
>> file is there but there is no history in it. this is unusual and
it's the
>> second time it happens in 2 months. it's particularly peculiar
since nobody
>> else has the root password for this machine. i can't see any ssh
access in
>> auth.log and ssh access is limited to a handful of ips...  how could i
>> figure out what is emptying the .history file?
>> 
>> thanks...
>> 
>> also, the .cshrc looks like this:
>> 
>>    set promptchars = "%#"
>> 
>>        set filec
>>        set history = 1000
>>        set savehist = (1000 merge)
>>        set autolist = ambiguous
>>        # Use history to aid expansion
>>        set autoexpand
>>        set autorehash
>>        set mail = (/var/mail/$USER)
>>        if ( $?tcsh ) then
>>                bindkey "^W" backward-delete-word
>>                bindkey -k up history-search-backward
>>                bindkey -k down history-search-forward
>>        endif
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
>> "
>> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"

-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a
lot about anticipated traffic volume.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3944 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200331/d7f6857e/attachment.bin>