Re: root .history
thanks to all... appreciate your replies... On Tue, Mar 31, 2020 at 6:37 PM Tatsuki Makino wrote: > set savehist = (1000 merge) is broken from 6.21.00 or another before. > You must run history -M before exiting tcsh. > ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: root .history
set savehist = (1000 merge) is broken from 6.21.00 or another before. You must run history -M before exiting tcsh. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: root .history
Seems a little extreme, you could check other users .cshrc .tcshrc flies and see if there is a builtin mech for (history -c) in a trap or otherwise that might explain it. If root history is a concern, audit should probably setup on that system if it runs that deep in the infrastructure before evaluating a secure level and chflags. > On Mar 31, 2020, at 13:09, Selphie Keller wrote: > > You could set a higher securelevel and use system flags like: > chflags sappnd .history > Which will prevent it from being erased and only allow appending. > > On Tue, 31 Mar 2020 at 10:59, el kalin wrote: > >> hi all... >> >> noticed that over night the shell .history file for root was emptied. the >> file is there but there is no history in it. this is unusual and it's the >> second time it happens in 2 months. it's particularly peculiar since nobody >> else has the root password for this machine. i can't see any ssh access in >> auth.log and ssh access is limited to a handful of ips... how could i >> figure out what is emptying the .history file? >> >> thanks... >> >> also, the .cshrc looks like this: >> >>set promptchars = "%#" >> >>set filec >>set history = 1000 >>set savehist = (1000 merge) >>set autolist = ambiguous >># Use history to aid expansion >>set autoexpand >>set autorehash >>set mail = (/var/mail/$USER) >>if ( $?tcsh ) then >>bindkey "^W" backward-delete-word >>bindkey -k up history-search-backward >>bindkey -k down history-search-forward >>endif >> ___ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org >> " >> > ___ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. smime.p7s Description: S/MIME cryptographic signature
Re: root .history
You could set a higher securelevel and use system flags like: chflags sappnd .history Which will prevent it from being erased and only allow appending. On Tue, 31 Mar 2020 at 10:59, el kalin wrote: > hi all... > > noticed that over night the shell .history file for root was emptied. the > file is there but there is no history in it. this is unusual and it's the > second time it happens in 2 months. it's particularly peculiar since nobody > else has the root password for this machine. i can't see any ssh access in > auth.log and ssh access is limited to a handful of ips... how could i > figure out what is emptying the .history file? > > thanks... > > also, the .cshrc looks like this: > > set promptchars = "%#" > > set filec > set history = 1000 > set savehist = (1000 merge) > set autolist = ambiguous > # Use history to aid expansion > set autoexpand > set autorehash > set mail = (/var/mail/$USER) > if ( $?tcsh ) then > bindkey "^W" backward-delete-word > bindkey -k up history-search-backward > bindkey -k down history-search-forward > endif > ___ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " > ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"