Information Security News
Security Experts at G4S, Cisco, EMC, Guidance Software, ImageWare, Route1, GTX and Cyber Security Summit ...
SYS-CON Media (press release)
Tickets are now on sale for the Cyber Security Summit in Atlanta, held on April 6 at the Ritz-Carlton, Buckhead. We are proud to announce The Honorable John P. Carlin, US Asst. Attorney General of National Security, as our Keynote. Experts from The FBI ...
Beyond DevOps: Security vs. Speed? | @DevOpsSummit #DevOps
SYS-CON Media (press release)
And while one of the major insights of Agile is that the best refiner is the real world (as opposed to the limited imagination of the planners), one of the major embarrassments of InfoSec is that 95% of security breaches involve human error. For Agile ...
House subcommittee hearing discusses making cyber insurance more accessible
The House Infrastructure Protection, and Security Technologies subcommittee held March 23 to examine potential opportunities to promote the adoption of cyber best practices and more effective management of infosec risks through cyber insurance.
Lieberman Software Cyber Security Experts to Present at Infosec World
EIN News (press release)
... 03/28/16 -- Cyber security vendor Lieberman Software Corporation today announced that Vice President of Product Strategy Jonathan Sander and Vice President of Technical Services Chris Stoneff will present respective sessions at Infosec World 2016 ...
the default user shell in most Linux distributions. In case of incidents affecting a UNIX server, they are chances that a Bash shell will be involved. Bash keeps"> $ history | tail -5 1993 pwd 1994 whoami 1995 cd 1996 cd /tmp 1997 history | tail -5$ !1996cd /tmp$ ^tmp^optcd /opt$">When terminated, the Bash shell will saves the current history to a file.From a forensics point of view, this is a goldmine! Being able to browse the history of commands executed by a user is a must have.A few days ago, a friend published a blog post about a tip to improve the history of Bash shells. By defining the HISTTIMEFORMAT environment variable, you enable timestamps"> $ export HISTTIMEFORMAT=%d/%m/%y %T $ history | tail -5 1997 27/03/16 10:58:22 history | tail -5 1998 27/03/16 10:58:33 cd /tmp 1999 27/03/16 10:58:42 cd /opt 2000 27/03/16 11:00:26 export HISTTIMEFORMAT=%d/%m/%y %T 2001 27/03/16 11:00:29 history | tail -5$">While discussing with him about this topic, I realized that there are some ways to fine tune the history of commands to improve forensics investigations. In 2009, I also wrote a blog post about Bash which gave some ideas tosend a Bash command history to a remote Syslog server. I checked my web logs and this blog post remains popular with more than 1000 visits for the last 30 days! Note that myblog post is outdated: Since the version 4.1, Bash supports Syslog natively but in most distribution, it is not enabled. To use this feature, you need to recompile your shell.">I found this not very convenient but the good point is that it cannot be disabled by the user (except if he switches his shell to another shell or another Bash binary). You just have to define SYSLOG_HISTORY"> $ vi config-top.h#define SYSLOG_HISTORY#if defined (SYSLOG_HISTORY)# define SYSLOG_FACILITY LOG_USER# define SYSLOG_LEVEL LOG_INFO#endif./configuremake install">When a Bash shell is started, it loads the existing history from a flat file (by default $HOME/.bash_history) and saves it when it exists. Besides the HISTTIMEFORMAT environment variables, there are others which can also affect the way thelogging of commands is performed.">">The name of the file to which the command history is saved. The default value is">The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is truncated, if necessary, to contain no more than that number of lines by removing the oldest entries. The history file is also truncated to this size after writing it when a shell exits. If the value is 0, the history file is truncated to zero size. Non-numeric values and numeric values less than zero inhibit truncation. The shell sets the default value to the value of">">A colon-separated list of patterns used to decide which command lines should be saved on the history list. Each pattern is anchored at the beginning of the line and must match the complete line (no implicit ">">ified by">are applied. In addition to the normal shell pattern matching characters, ">"> matches the previous history line. ">"> the backslash is removed before attempting a match. The second and subsequent lines of a multi-line compound command are not tested, and are added to the history regardless of the value of">">ction of">. A pattern of ">"> is identical to">, and a pattern of "> is identical to">. Combining these two patterns, separating them with a colon, provides the functionality of">A colon-separated list of values controlling how commands are saved on the history list.If the list of values includesignorespace, lines which begin with a space character are not saved in the history list. A value ofignoredups causeslines matching the previous history entry to not be saved. A value ofignorebothis shorthand forignorespaceandignoredups. A value oferasedupscauses all previous lines matching the current line to be removed from the history listbefore that line is">The maximum number of commands to remember on the history list. If the value is 0, commands are not saved in the history list. Numeric values less than zero result in every command being saved on the history list (there is no limit). The shell sets the default value to 500 after reading any startup files.
">If this variable is set and not null, its value is used as a format string for strftime">to print the time stamp associated with each history entry displayed by the">">e is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish">from other history lines.
You can also affect the way logging is performed with the shopt">Thecmdhistshell option, if enabled, causes the shell to"> $ shopt -s cmdhist">Finally, lithist saves the command with embedded newlines"> $ shopt -s lithist">Also interesting, when you use theHISTTIMEFORMAT"> $ tail -10 .bash_history#1458933529history|less#1458933544vi .bash_history#1458933792wc -l .bash_history#1458976122more .bash_history#1458976132echo foobar
You can add the environment variable in /etc/bash.bashrc or,per user, in $HOME/.bashrc.Note that these environment variables do not prevent a malicious user to disable the Bash history!Just spawn another shell (zsh, ksh) and you will escape the logging features. If you really want to track what users are doing, have a look at psacctwhich runs in the background to track">Xavier Mertens
ISC Handler - Freelance Security Consultant