6

I know all commands user sends to server are automatically logged into ~/.bash_history

I want to give access to my PC to my colleague (I've already gave hime some limited access to use sudo via /etc/sudoers), even that i trust him, i would love to reliably know what did he done on my PC - so i need to be sure:

  • his ~/.bash_history cannot be compromized (he cannot truncate or somehow change the file)
  • he cannot change critical env variables, which would affect logging - like HISTCONTROL, HISTFILE or HISTSIZE
  • he cannot run something like history -c

I don't know if i forgot something, but i just need to be sure, that after i come to PC, i will see everything what he has done.

Radek Simko
  • 422

1 Answers1

12

Harden bash_history and bash configuration files by making them append-only:

chattr +a /home/user/.bash_history
chattr +a /home/user/.bash_profile
chattr +a /home/user/.bash_login
chattr +a /home/user/.profile
chattr +a /home/user/.bash_logout
chattr +a /home/user/.bashrc

Harden env variables by adding the following lines to /home/user/.bashrc:

shopt -s histappend
readonly PROMPT_COMMAND="history -a"
readonly HISTFILE
readonly HISTFILESIZE
readonly HISTSIZE
readonly HISTCMD
readonly HISTCONTROL
readonly HISTIGNORE

histappend tells bash to append the last $HISTSIZE lines to the $HISTFILE file when an interactive shell exits. PROMPT_COMMAND executes the given command prior to issuing each prompt. history -a appends the command typed just before the current one to $HISTFILE.

Disable access to other shells:

chmod 750 csh
chmod 750 tcsh
chmod 750 ksh

Chris Ting
  • 1,579