From owner-freebsd-security@freebsd.org Tue Mar 31 18:16:44 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3ABBF26631D for ; Tue, 31 Mar 2020 18:16:44 +0000 (UTC) (envelope-from selphie.keller@gmail.com) Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48sHb5617dz43vx for ; Tue, 31 Mar 2020 18:16:33 +0000 (UTC) (envelope-from selphie.keller@gmail.com) Received: by mail-pg1-x531.google.com with SMTP id k5so8491576pga.2 for ; Tue, 31 Mar 2020 11:16:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QW1RFR/QfXRpnFD9wL5m3taON7aNlBHidxP58iWsDHI=; b=MuE+y9MNf7HNvKxoYfxvJ60mtqxLIMuApm2T7RzM0ydCZD8wdL6PSIYEOsQTJrzcpQ DoQ+HjCpwMmLKLepRZUJ1cLM5UmQ3Y0MQc+jPX3R7oE0HEG17R5LjPWgegnMe6QobHtU Q2JhMbtZS8NwalzwVSGEOY2kxX8hU5+ZNqIkmppWUn7WsRyUOau3Hko3n/uZsfSN6+Ow insWg87cFI1jIZDsIqR/oFEkST6J4hqQ70h+5lANc18wgbkS+1dOwTlqc6fn4131nRZp D04tsgHrasehY8ZwjJj+n6pb1CLbsQadQM1zyuZDMquh1XlvyXGrH7Dvd56Pu4y4u1/H JlgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QW1RFR/QfXRpnFD9wL5m3taON7aNlBHidxP58iWsDHI=; b=KRK7fuYkQ+dtDFdlYmDOJmC1j5Q4rSx76vyYM2ZF345PxQy9DjRwOHpB/6cIEUR4l6 /u1pjes32SVXxeK25GxBDp4RCWSwn3giGdKYHgLNPGf/Wj0p9UNqSR+844liiyJsLCrb TUVX5DVzFQTsAGjgoB3kjO4VZj0NSF0IoLETySPsuCFWCznK//P5REPDlCeqafzfaLBq 6sNJDtLLHxhsVDB79tSJ0ZO3aUKrgQQbuX9IECDlO3cG/l79S7bFpHHbAfe0MDQaL95U IgqDhIxS4OcUgIpNtPPOgwMxxoyxvVcXewTmPN+6Xh+65/YTdUCtu+/Uz8jZRMDP6Nd1 DTnw== X-Gm-Message-State: AGi0PuaiTy1g9oy5/LnpJd0HvfUgBfFOeJrkSDU+ofByMqP35FHrP61X Uy7c3qwSwhQi+P+KnJHnb2tzbO/RVxcxj0vdOWlU3/o6q/k= X-Google-Smtp-Source: ADFU+vtkkbcKwE/0c2Our5nNErHMfmDYa1BId+tYe+pGLsURSmVfzv0Syh8oEX8XgsE3S55UIoMfwj/l2k2eFR/lI+s= X-Received: by 2002:a92:b6db:: with SMTP id m88mr18221492ill.115.1585678176967; Tue, 31 Mar 2020 11:09:36 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Selphie Keller Date: Tue, 31 Mar 2020 12:09:25 -0600 Message-ID: Subject: Re: root .history To: el kalin Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 48sHb5617dz43vx X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=MuE+y9MN; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of selphiekeller@gmail.com designates 2607:f8b0:4864:20::531 as permitted sender) smtp.mailfrom=selphiekeller@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.01), ipnet: 2607:f8b0::/32(-0.35), asn: 15169(-0.45), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[1.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2020 18:16:44 -0000 You could set a higher securelevel and use system flags like: chflags sappnd .history Which will prevent it from being erased and only allow appending. On Tue, 31 Mar 2020 at 10:59, el kalin wrote: > hi all... > > noticed that over night the shell .history file for root was emptied. the > file is there but there is no history in it. this is unusual and it's the > second time it happens in 2 months. it's particularly peculiar since nobody > else has the root password for this machine. i can't see any ssh access in > auth.log and ssh access is limited to a handful of ips... how could i > figure out what is emptying the .history file? > > thanks... > > also, the .cshrc looks like this: > > set promptchars = "%#" > > set filec > set history = 1000 > set savehist = (1000 merge) > set autolist = ambiguous > # Use history to aid expansion > set autoexpand > set autorehash > set mail = (/var/mail/$USER) > if ( $?tcsh ) then > bindkey "^W" backward-delete-word > bindkey -k up history-search-backward > bindkey -k down history-search-forward > endif > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >