Date: Tue, 31 Mar 2020 12:09:25 -0600 From: Selphie Keller <selphie.keller@gmail.com> To: el kalin <kalin@el.net> Cc: freebsd-security@freebsd.org Subject: Re: root .history Message-ID: <CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA@mail.gmail.com> In-Reply-To: <CAMJXockTE3xBp=DcTocAtbFNsyEVzTy1AwO7zNPD5m6GMKD0Zg@mail.gmail.com> References: <CAMJXockTE3xBp=DcTocAtbFNsyEVzTy1AwO7zNPD5m6GMKD0Zg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
You could set a higher securelevel and use system flags like: chflags sappnd .history Which will prevent it from being erased and only allow appending. On Tue, 31 Mar 2020 at 10:59, el kalin <kalin@el.net> wrote: > hi all... > > noticed that over night the shell .history file for root was emptied. the > file is there but there is no history in it. this is unusual and it's the > second time it happens in 2 months. it's particularly peculiar since nobody > else has the root password for this machine. i can't see any ssh access in > auth.log and ssh access is limited to a handful of ips... how could i > figure out what is emptying the .history file? > > thanks... > > also, the .cshrc looks like this: > > set promptchars = "%#" > > set filec > set history = 1000 > set savehist = (1000 merge) > set autolist = ambiguous > # Use history to aid expansion > set autoexpand > set autorehash > set mail = (/var/mail/$USER) > if ( $?tcsh ) then > bindkey "^W" backward-delete-word > bindkey -k up history-search-backward > bindkey -k down history-search-forward > endif > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAhz9On63753LH2XoDMzFzZ%2BSB5hzzz8F74S2EYWqWtSufztKA>