You could set a higher securelevel and use system flags like:
chflags sappnd .history
Which will prevent it from being erased and only allow appending.
On Tue, 31 Mar 2020 at 10:59, el kalin <kalin at el.net> wrote:
> hi all...
>
> noticed that over night the shell .history file for root was emptied. the
> file is there but there is no history in it. this is unusual and it's
the
> second time it happens in 2 months. it's particularly peculiar since
nobody
> else has the root password for this machine. i can't see any ssh access
in
> auth.log and ssh access is limited to a handful of ips... how could i
> figure out what is emptying the .history file?
>
> thanks...
>
> also, the .cshrc looks like this:
>
> set promptchars = "%#"
>
> set filec
> set history = 1000
> set savehist = (1000 merge)
> set autolist = ambiguous
> # Use history to aid expansion
> set autoexpand
> set autorehash
> set mail = (/var/mail/$USER)
> if ( $?tcsh ) then
> bindkey "^W" backward-delete-word
> bindkey -k up history-search-backward
> bindkey -k down history-search-forward
> endif
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
> "
>