A few months ago, I posted an article about how to add extra logging facilities to the Bash shell. For specific users, it can be useful to have a complete history of their activity on your server (for audit purposes). The first release candidate of Bash 4.1 is available for a few days. Good surprise, the developers added Syslog support to log the user activity. From the new features list:
“There is a new configuration option (in config-top.h) that forces bash to forward all history entries to syslog.“.
The new logging implementation is quite simple. For each command dumped to the classic history file, a copy is sent to the Syslog daemon (with LOG_USER:LOG_INFO as default facility and level – configurable at compilation time).
As discussed on Twitter with @seccubus, this could lead to new ways of information leakage! Here are some examples of
interesting dangerous commands that can be sent to a Syslog daemon:
mysql -h 192.168.1.24 -u dba --password=mysafepwd users unzip -P strongpass confidential_contracts.zip
Note that the old method (using $HOME/.bash_history by default) was not a bullet proof solution but a compromized file will affect only the owner. Now, new attack vectors have been introduced: Via /var/log (or /var/adm), where are located the local log files, the history of all users will be stored in a central place. Via network tapping, as Syslog relies on UDP and is a clear-text protocol.
How to avoid critical information leakage? First, do not store local log files (or restrict their access, encrypt them). Forward the messages to a centralized location using a secure tunnel (VPN).
I’m using Syslog logging for a while on rootshell.be, I’d recommend to use the Syslog history only for users above a certain UID. Usually administrative and application users have a low UID. Just create your regular users above UID 1000 (as an example). This can very quickly patched in the Bash source code.
Another good practice would be to NOT give passwords as arguments. As seen in the MySQL example above: Instead of using “–password=mypwd”, prefer the “-P” flag which will ask you the password later!