本文共 2079 字,大约阅读时间需要 6 分钟。
A few months ago, I posted an about how to add extra logging facilities to the shell. For specific users, it can be useful to have a complete history of their activity on your server (for audit purposes). The first release candidate of Bash 4.1 is for a few days. Good surprise, the developers added Syslog support to log the user activity. From the new features list:
“There is a new configuration option (in config-top.h) that forces bash to forward all history entries to syslog.“.
The new logging implementation is quite simple. For each command dumped to the classic history file, a copy is sent to the Syslog daemon (with LOG_USER:LOG_INFO as default facility and level – configurable at compilation time).
As discussed on Twitter with , this could lead to new ways of information leakage! Here are some examples of interesting dangerous commands that can be sent to a Syslog daemon:
mysql -h 192.168.1.24 -u dba --password=mysafepwd usersunzip -P strongpass confidential_contracts.zip
Note that the old method (using $HOME/.bash_history by default) was not a bullet proof solution but a compromized file will affect only the owner. Now, new attack vectors have been introduced: Via /var/log (or /var/adm), where are located the local log files, the history of all users will be stored in a central place. Via network tapping, as Syslog relies on UDP and is a clear-text protocol.
How to avoid critical information leakage? First, do not store local log files (or restrict their access, encrypt them). Forward the messages to a centralized location using a secure tunnel (VPN).
I’m using Syslog logging for a while on , I’d recommend to use the Syslog history only for users above a certain UID. Usually administrative and application users have a low UID. Just create your regular users above UID 1000 (as an example). This can very quickly patched in the Bash source code.
Another good practice would be to NOT give passwords as arguments. As seen in the MySQL example above: Instead of using “–password=mypwd”, prefer the “-P” flag which will ask you the password later!
转载地址:http://wiqmb.baihongyu.com/