[TCLUG] root bash history

Fri Nov 14 15:40:30 CST 2003

I'm not sure how much has transpired in this thread.
Have you looked at your backup for the system?
The su has history. (sudo) check login.defs for info - if none you may need
to set up.
The logins within the user have history. There are also the system logs
which may give a clue to this. /var/log and other places, older versions
adm.  Also check in /etc and if you use gnome or kde they have logs.

Thanks,
Tim Sinks

----- Original Message ----- 
From: "Tom Penney" <blots at visi.com>
To: "TCLUG Mailing List" <tclug-list at mn-linux.org>
Sent: Friday, November 14, 2003 2:05 PM
Subject: Re: [TCLUG] root bash history

> On Thu, 2003-11-13 at 22:37, John J. Trammell wrote:
> > On Thu, Nov 13, 2003 at 08:34:06PM -0600, Tom Penney wrote:
> > > I just noticed that the .bash_history file is gone on a box that I am
> > > supposedly the only one with root access. RedHat 7.2. Can anyone think
> > > of a legitimate reason why the history might vanish?
> > >
> >
> > Just for kicks, what does chkrootkit say?
>
> On Thu, 2003-11-13 at 22:32, rware at interplastic.com wrote:
> >  You were playing with rm and * ;)
>
> I indeed was using rm -i ./* in a completely different directory. I
> thought I contained my deletion to the files I intended to delete.
>
> I did download and run chrootkit which did not find anything. I did not
> not boot the machine clean though, I just ran it.
>
> I also have been running tripwire on this machine for over a year.
> Tripwire finds nothing.
>
> I did find out that a software developer does have root access to this
> machine, and he did su. I do completely trust this person (should I?)
> and he does have every right to be root on this machine and a legitimate
> need. I did not realize he wrote down the password I gave him
> months ago. He claims he did nothing to the history.
>
> Can anyone think of a way I or my colleague could have inadvertently
> cleared the history? I know history -c will do the job but I don't see
> how that could be done by mistake.
>
> Maybe I'm being too paranoid but it bothers me. If someone is good
> enough root this box and to hide it from both chkrootkit and tripwire
> you would think they would have just deleted the the incriminating lines
> from the history so they would not be discovered.
>
> - Tom
>
>
> -- 
> Tom Penney <blots at visi.com>
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list
>

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list