root .history

J. Hellenthal jhellenthal at dataix.net
Tue Mar 31 18:26:27 UTC 2020 

Seems a little extreme, you could check other users .cshrc .tcshrc flies and see if there is a builtin mech for (history -c) in a trap or otherwise that might explain it.

If root history is a concern, audit should probably setup on that system if it runs that deep in the infrastructure before evaluating a secure level and chflags. 




> On Mar 31, 2020, at 13:09, Selphie Keller <selphie.keller at gmail.com> wrote:
> 
> You could set a higher securelevel and use system flags like:
> chflags sappnd .history
> Which will prevent it from being erased and only allow appending.
> 
> On Tue, 31 Mar 2020 at 10:59, el kalin <kalin at el.net> wrote:
> 
>> hi all...
>> 
>> noticed that over night the shell .history file for root was emptied. the
>> file is there but there is no history in it. this is unusual and it's the
>> second time it happens in 2 months. it's particularly peculiar since nobody
>> else has the root password for this machine. i can't see any ssh access in
>> auth.log and ssh access is limited to a handful of ips...  how could i
>> figure out what is emptying the .history file?
>> 
>> thanks...
>> 
>> also, the .cshrc looks like this:
>> 
>>    set promptchars = "%#"
>> 
>>        set filec
>>        set history = 1000
>>        set savehist = (1000 merge)
>>        set autolist = ambiguous
>>        # Use history to aid expansion
>>        set autoexpand
>>        set autorehash
>>        set mail = (/var/mail/$USER)
>>        if ( $?tcsh ) then
>>                bindkey "^W" backward-delete-word
>>                bindkey -k up history-search-backward
>>                bindkey -k down history-search-forward
>>        endif
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org
>> "
>> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"


-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3944 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200331/d7f6857e/attachment.bin>

More information about the freebsd-security mailing list