Date: Tue, 31 Mar 2020 13:25:55 -0500 From: "J. Hellenthal" <jhellenthal@dataix.net> To: Selphie Keller <selphie.keller@gmail.com> Cc: el kalin <kalin@el.net>, freebsd-security@freebsd.org Subject: Re: root .history Message-ID: <C811F001-5474-444A-8CAF-E8E618779ECA@dataix.net> In-Reply-To: <CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA@mail.gmail.com> References: <CAMJXockTE3xBp=DcTocAtbFNsyEVzTy1AwO7zNPD5m6GMKD0Zg@mail.gmail.com> <CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_E64ED81E-DFCA-4889-8606-48BD3EE9E409 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Seems a little extreme, you could check other users .cshrc .tcshrc flies = and see if there is a builtin mech for (history -c) in a trap or = otherwise that might explain it. If root history is a concern, audit should probably setup on that system = if it runs that deep in the infrastructure before evaluating a secure = level and chflags.=20 > On Mar 31, 2020, at 13:09, Selphie Keller <selphie.keller@gmail.com> = wrote: >=20 > You could set a higher securelevel and use system flags like: > chflags sappnd .history > Which will prevent it from being erased and only allow appending. >=20 > On Tue, 31 Mar 2020 at 10:59, el kalin <kalin@el.net> wrote: >=20 >> hi all... >>=20 >> noticed that over night the shell .history file for root was emptied. = the >> file is there but there is no history in it. this is unusual and it's = the >> second time it happens in 2 months. it's particularly peculiar since = nobody >> else has the root password for this machine. i can't see any ssh = access in >> auth.log and ssh access is limited to a handful of ips... how could = i >> figure out what is emptying the .history file? >>=20 >> thanks... >>=20 >> also, the .cshrc looks like this: >>=20 >> set promptchars =3D "%#" >>=20 >> set filec >> set history =3D 1000 >> set savehist =3D (1000 merge) >> set autolist =3D ambiguous >> # Use history to aid expansion >> set autoexpand >> set autorehash >> set mail =3D (/var/mail/$USER) >> if ( $?tcsh ) then >> bindkey "^W" backward-delete-word >> bindkey -k up history-search-backward >> bindkey -k down history-search-forward >> endif >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org >> " >>=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. --Apple-Mail=_E64ED81E-DFCA-4889-8606-48BD3EE9E409 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC30w ggTyMIID2qADAgECAhAkjIYJxGnGR6eZmmZkpZCpMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTE5MTIxODE1MzMyNVoXDTIwMTIxODE1MzMyNVowITEfMB0G A1UEAwwWamhlbGxlbnRoYWxARGF0YUlYLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALuOyYfFZO7sDZ2xvZmWHxNFr13InRzm8npMvK0S3gZuV+foEql68NraMDvg8kZzPGF5gKJU xT3ULrXY/TnwWYRoYUftUx2DSWbx/fZrh7D6jXlmrTymbdBSEfqhg1Z3VQKSPRVsXfM0aCFh/M9H yu0yAMnfFojOfneQj9Ui57BaK7X5lsfi1a5OpPOux8jt0xc69wtHY9oB6dGxNNa7lvhnYoR/fwXD 85ZmpA/KCUSOHRswNj3FKxe5ar5+t/2Y3sx8beLRBGziLMiSpkQsuRf5eC+ASrPfqVh0aYPU+fBu CHdpvQd4g+j+2AC2gaNevi3W+GHbqJcxFYVoE6QdADECAwEAAaOCAbcwggGzMAwGA1UdEwEB/wQC MAAwHwYDVR0jBBgwFoAUa/KNnmjBJQQfUTRX9hZclOpNaRowfgYIKwYBBQUHAQEEcjBwMDsGCCsG AQUFBzAChi9odHRwOi8vY2FjZXJ0LmFjdGFsaXMuaXQvY2VydHMvYWN0YWxpcy1hdXRjbGlnMjAx BggrBgEFBQcwAYYlaHR0cDovL29jc3AwOS5hY3RhbGlzLml0L1ZBL0FVVEhDTC1HMjAhBgNVHREE GjAYgRZqaGVsbGVudGhhbEBEYXRhSVgubmV0MEcGA1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYB BQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggr BgEFBQcDAgYIKwYBBQUHAwQwSAYDVR0fBEEwPzA9oDugOYY3aHR0cDovL2NybDA5LmFjdGFsaXMu aXQvUmVwb3NpdG9yeS9BVVRIQ0wtRzIvZ2V0TGFzdENSTDAdBgNVHQ4EFgQU6wfraIwID26TibOY ZqUs7EeHIcAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQAUqup9iuEK2eij2dDi 9F0zE86hkqszB95cI+EUSqpCpWo+9QEVanEpgLdithMEV3E7ZGYSXe+lQIvPa2eS8cTLQG3UMggC wYzlkLqE55KEChdkDmzpcZM2i1ektdEJADzP0EonVM8yz+Qs1ZdlXf7dUsjksgLV0PVyil7wo/Fo 08duWa/SmBMcHO71DbTgJfKzAa77KmoXXiaUpkK9PhXsCQwReZKkIC+hEYe77F/J/ck8Ne29DyC0 zi82uTbHU6o5lm2u78GLtnueNLGrNOeZm9bTSDRk+BNnRYHO07m1k+62+qxlZX5YmTuklyvum8Vw Y0tgc2GXvFuoRioro8AdMIIGgzCCBGugAwIBAgIQT94QS+2VW96LrWWHzEFe4zANBgkqhkiG9w0B AQsFADBrMQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5w LkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0Ew HhcNMTkwOTIwMDcxMjA1WhcNMzAwOTIyMTEyMjAyWjCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgM B0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5w LkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBD QSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALdoc3rZPNQv+9xnyj3OlHz/iRnO 2hpj8xlHkCdYKNwnRabAT6J0RA11A3ZkQiEZEw66B99ES7Ezv9IRBYmIwsr720lUptObF5L3yVzl 3nzaittXwWsq+CQoDEci1cKkWF5SiO22+Np2Epu2HFxkw5nXMnZibrqnC6hUGsFogTDUUVRIuLlu blwWYFhpqvDaCh//ucRgRW3+rTU1nBoT1XHkXrLsCteefjoh+o01tNTWvGi4+3OyABidGPXuoYh7 UbYX1u0sG1O8rO92t5zV7/Cr/Vza9EbySh6DrCqsY333sNxikKzFyBwebZv43t1xJyMVE/CRt7BL JOyHxd1Yq0sCAwEAAaOCAf4wggH6MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsif eGbtifN7OHCUyQICNtAwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcDA1 LmFjdGFsaXMuaXQvVkEvQVVUSC1ST09UMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIB FiRodHRwczovL3d3dy5hY3RhbGlzLml0L2FyZWEtZG93bmxvYWQwJwYDVR0lBCAwHgYIKwYBBQUH AwIGCCsGAQUFBwMEBggrBgEFBQcDCTCB4wYDVR0fBIHbMIHYMIGWoIGToIGQhoGNbGRhcDovL2xk YXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRpY2F0aW9uJTIwUm9vdCUyMENB LG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2 b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0 b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMB0GA1UdDgQWBBRr8o2eaMElBB9RNFf2FlyU6k1pGjAO BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAGBEuhmiq3L7DkGaRMG6FTm9na4v3ya3 KW+xkhFvSZgPinqeBi5qfV+dCL/BCuO/JMH9mgI5z57DnYiLQC3CIHnEtalcTfhGPleRgjRMuFQL AeYM5UAZiiPT+D8S7faZ0CZ3glRLw51QTGQJZSC+bN7mgoiBG/HmGahvLWjlkjNZ6o6AmVC3HIV1 mGowamiYNEVDmen+SAdJW9uhwP+xFFZodZ0lYJQ6FHg+3pSDVx6YdM94n9e9tlMnXKB+CY92WmPX bUOMCUjYUmTsxEu9lJEusHv+eehThrO6HiVrkHvEathHnkhphpYmSlG2KOIwfwtqJjJ9C+EMCOcD Da1ndhUTVFMMTAZmyWLRGg0U0O9hzwPA520ZL0Q0iZI7E6KlOmaQZQX+LORMK4V6hVW9qzPZhgjw 2SYux8N8vAWA/3d4ky+j1uVIzk0qRXJ0iD+B1uTyOjEx15fmm+mowp7ycOhNUxi4d8ycqb+QkPBb ZtM+zCi7eWa9hOI6I2V3mZ9bFKUqonWcqfZhvy2DEZhzJLYQ0Zw5ztrR7+fmDjuHFBG07eQcMBOU T46qL7J3ncneUooyCvpNTAlxSzE3xEc96lDd4v38Lnl3BsuIxH9p/xb2LBGNxgR12QjFVj33wX25 fyE47PUPTRt+2wBJv5oNsjatNjS4w20CCoLfVtGgVPUrMYIDqTCCA6UCAQEwgaIwgY0xCzAJBgNV BAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYD VQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQg QXV0aGVudGljYXRpb24gQ0EgRzICECSMhgnEacZHp5maZmSlkKkwDQYJYIZIAWUDBAIBBQCgggHX MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIwMDMzMTE4MjU1NVow LwYJKoZIhvcNAQkEMSIEIDVwV4WQB/1RQEWIBcXZ6PICVZTlfTT9fSUbj+GQmMiwMIGzBgkrBgEE AYI3EAQxgaUwgaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQ b250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzICECSMhgnEacZHp5maZmSl kKkwgbUGCyqGSIb3DQEJEAILMYGloIGiMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2Ft bzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBTLnAuQS4vMDMz NTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIENBIEcyAhAk jIYJxGnGR6eZmmZkpZCpMA0GCSqGSIb3DQEBAQUABIIBAHfBm+wmjkLQAJ8cHb0Z1HCadBeK+kyP 9HB39aa1kXJcO/irPYuVZyz5YeYluXmqzKEQa46vJildUG3xGvGVGi9Z+C8XtJtZaGN8O4+vK/Cx s82K9BYPSyg9JjIL7ybINMAwvf0HZGlt28myYHF3G7jSAmrvNKoNdPB/Wg8TVhVhr/p2HwBpSmea w2yWUKcTWdBSklE8+QUcI8caRFFci4j1oPFBbguYGDKwRhMiXkkrJtgtkGswFSNszNQ3DqJRXSQn UC+kLcd/iDSNEbR5gYovwL6pgAWdPQnD5wTKGa0oQnX55B5gD97ZK4vAKiBabgAhSt/2zbMUj3uh WkBFmasAAAAAAAA= --Apple-Mail=_E64ED81E-DFCA-4889-8606-48BD3EE9E409--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C811F001-5474-444A-8CAF-E8E618779ECA>