Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 31 Mar 2020 13:25:55 -0500
From:      "J. Hellenthal" <jhellenthal@dataix.net>
To:        Selphie Keller <selphie.keller@gmail.com>
Cc:        el kalin <kalin@el.net>, freebsd-security@freebsd.org
Subject:   Re: root .history
Message-ID:  <C811F001-5474-444A-8CAF-E8E618779ECA@dataix.net>
In-Reply-To: <CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA@mail.gmail.com>
References:  <CAMJXockTE3xBp=DcTocAtbFNsyEVzTy1AwO7zNPD5m6GMKD0Zg@mail.gmail.com> <CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Seems a little extreme, you could check other users .cshrc .tcshrc flies and see if there is a builtin mech for (history -c) in a trap or otherwise that might explain it.

If root history is a concern, audit should probably setup on that system if it runs that deep in the infrastructure before evaluating a secure level and chflags. 




> On Mar 31, 2020, at 13:09, Selphie Keller <selphie.keller@gmail.com> wrote:
> 
> You could set a higher securelevel and use system flags like:
> chflags sappnd .history
> Which will prevent it from being erased and only allow appending.
> 
> On Tue, 31 Mar 2020 at 10:59, el kalin <kalin@el.net> wrote:
> 
>> hi all...
>> 
>> noticed that over night the shell .history file for root was emptied. the
>> file is there but there is no history in it. this is unusual and it's the
>> second time it happens in 2 months. it's particularly peculiar since nobody
>> else has the root password for this machine. i can't see any ssh access in
>> auth.log and ssh access is limited to a handful of ips...  how could i
>> figure out what is emptying the .history file?
>> 
>> thanks...
>> 
>> also, the .cshrc looks like this:
>> 
>>    set promptchars = "%#"
>> 
>>        set filec
>>        set history = 1000
>>        set savehist = (1000 merge)
>>        set autolist = ambiguous
>>        # Use history to aid expansion
>>        set autoexpand
>>        set autorehash
>>        set mail = (/var/mail/$USER)
>>        if ( $?tcsh ) then
>>                bindkey "^W" backward-delete-word
>>                bindkey -k up history-search-backward
>>                bindkey -k down history-search-forward
>>        endif
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org
>> "
>> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.







[-- Attachment #2 --]
0	*H
010
	`He0	*H
}00ڠ$	iGfd0
	*H
010	UIT10UBergamo10UPonte San Pietro1#0!U
Actalis S.p.A./033585209671,0*U#Actalis Client Authentication CA G20
191218153325Z
201218153325Z0!10Ujhellenthal@DataIX.net0"0
	*H
0
ɇd
E]ȝzLnWz0;Fs<ayT=.9YhaGSIfkyf<mRVwU=l]4h!aG2~w"Z+ծN:Gcѱ4ֻgbf	D06=+j~|ml,ȒD,x/JߩXtinwix^-aۨ1h100U00U#0kh%Q4W\Mi0~+r0p0;+0/http://cacert.actalis.it/certs/actalis-autclig201+0%http://ocsp09.actalis.it/VA/AUTHCL-G20!U0jhellenthal@DataIX.net0GU @0>0<+0200+$https://www.actalis.it/area-download0U%0++0HUA0?0=;97http://crl09.actalis.it/Repository/AUTHCL-G2/getLastCRL0Uhnf,G!0U0
	*H
}
]3Ρ3\#JBj>jq)bWq;df]@kg@m2吺璄
dlq6W	<J'T2,՗e]Rr^hnYҘ
%*j^&B>	y /_<5 /66S9m{44癛H4dgEӹee~X;+pcK`sa[F*+00kOK[ދeA^0
	*H
0k10	UIT10UMilan1#0!U
Actalis S.p.A./033585209671'0%UActalis Authentication Root CA0
190920071205Z
300922112202Z010	UIT10UBergamo10UPonte San Pietro1#0!U
Actalis S.p.A./033585209671,0*U#Actalis Client Authentication CA G20"0
	*H
0
hsz</g=Δ|cG'X('EOtD
uvdB!DK3ITӛ\|ڊWk*$(G"¤X^Rv\dÙ2vbnTh0QTHnn\`Xi
`Em55q^
מ~:!5ּhs{Q,Sv\FJ*c}bmq'#𑷰K$XK00U00U#0R؈:ȟxf{8p60A+50301+0%http://ocsp05.actalis.it/VA/AUTH-ROOT0EU >0<0:U 0200+$https://www.actalis.it/area-download0'U% 0+++	0U00ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary0=;97http://crl05.actalis.it/Repository/AUTH-ROOT/getLastCRL0Ukh%Q4W\Mi0U0
	*H
`DrAD9/&)ooIz.j}_
$9ϞÝ@- yĵ\MF>W4LT@#?&wTKÝPLd	e l悈o-h3YꎀPuj0jh4ECHI[ۡVhu%`:x>ޔWtx׽S'\~	vZcmC	HRdK.{yS%k{jGHi&JQ(0j&2}
gvTSLfb
am/D4;:fe,L+zU3ن&.|wx/HM*Ert?:11חžpMSw̜[f>(yf:#ew[*ua-s$ќ9;0O/wR2
ML	qK17G=P.ywˈi,uV=}!8M~I
664m
VѠT+100010	UIT10UBergamo10UPonte San Pietro1#0!U
Actalis S.p.A./033585209671,0*U#Actalis Client Authentication CA G2$	iGfd0
	`He0	*H
	1	*H
0	*H
	1
200331182555Z0/	*H
	1" 5pWQ@EU}4}%ᐘȰ0	+710010	UIT10UBergamo10UPonte San Pietro1#0!U
Actalis S.p.A./033585209671,0*U#Actalis Client Authentication CA G2$	iGfd0*H
	1010	UIT10UBergamo10UPonte San Pietro1#0!U
Actalis S.p.A./033585209671,0*U#Actalis Client Authentication CA G2$	iGfd0
	*H
w&BptLpwr\;=g,a%y̡k&)]Pm/Y/Yhc|;+͊K(=&2&40dimɲ`qwj4
tZVaviJglPYRQ<#DQ\An2F"^I+&-k0#l7Q]$'P/-4y/=	(Bu`+* Zn!Jͳ{Z@E
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C811F001-5474-444A-8CAF-E8E618779ECA>