Who moved my mainframe? Use the history command flexibly

Time:2021-9-15

Who moved my mainframe? Use the history command flexibly

Under Linux system, all historical operation records of users can be viewed through the history command, which plays a very important role in security emergency response. However, without additional configuration, the history command can only view the historical operation records of users, and can not distinguish users and operation time, which is not convenient for audit analysis.

Of course, some bad operating habits may also disclose sensitive information through command history.

Let’s introduce how to make the history log record more detailed, which is more convenient for our audit analysis.

1. Add time to command history

By default, as shown in the figure below, there is no command execution time, which is not conducive to audit analysis.

Who moved my mainframe? Use the history command flexibly

By setting export histtimeformat = ‘% F% t’, the command execution time is brought in the history.

Note that there is a space between “% T” and the following “‘”, otherwise there is no division between time and command when viewing the history.

Once and for all, this configuration can be written in / etc / profile. Of course, if you want to configure the specified user, this configuration can be written in / home / $user /. Bash_ In profile.

This article will take / etc / profile as an example.

Who moved my mainframe? Use the history command flexibly

To make the configuration take effect immediately, execute source / etc / profile, and then check the history record. You can see that the command execution time is included in the record.

Who moved my mainframe? Use the history command flexibly

If you want to realize more detailed records, such as the one-to-one correspondence of the user logged in to the system, IP address, operation command and operation time, you can add the following code to / etc / profile.

export HISTTIMEFORMAT="%F %Twho -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'whoami ",

Note that spaces are required.

Who moved my mainframe? Use the history command flexibly

After the / etc / profile is modified and loaded, the history record is as follows, and the time, IP, user and executed commands correspond one by one.

Who moved my mainframe? Use the history command flexibly

Through the above configuration, we can basically meet the daily audit work, but it should be easy for friends who know the system to see that this method only sets the environment variable, and the attacker unset the environment variable, or directly delete the command history, which is undoubtedly a disaster for security emergencies.

How should we deal with this problem? The following is our focus today. By modifying the bash source code, let the history record be sent to the remote logserver through syslog, which greatly increases the difficulty for attackers to destroy the integrity of history records.

2. Modify bash source code to support syslog recording

First, download the bash source code, which can be downloaded from gnu.org. There is no detailed description here. The system needs to install GCC and other compilation environments. We use bash 4.4 for demonstration.

Modify the source code: bashhist. C

Who moved my mainframe? Use the history command flexibly

Modify the source code config-top. H and cancel / #define syslog_ History / comments on this line

Who moved my mainframe? Use the history command flexibly

Compile and install. The compilation process is not described in detail. The compilation parameters used in this article are:. / configure — prefix = / usr / local / bash. After successful installation, the corresponding directory is as follows:

At this time, you can modify the user shell environment in / etc / passwd, or directly replace the original bash binary file with the compiled file, but you’d better back up the original file.

Two points should be noted during replacement:

  • 1. Be sure to give executable permissions. There are some by default. However, sometimes after downloading to the windows system and uploading, there will be no executable permissions. Be sure here, or you will regret it;
  • 2. When replacing, the original Bash is occupied. You can modify the bash environment of the original user before replacing.

Looking at the effect, we find that the history record has been written to / var / log / message.

Who moved my mainframe? Use the history command flexibly

If you want to write to the remote logserver, you need to configure the syslog service. The specific configuration is not explained in detail here. You can study it yourself and send it to the remote logserver. The effect is shown in the figure below.

Who moved my mainframe? Use the history command flexibly

Through the above means, the integrity of history records can be effectively guaranteed, so as to prevent the attacker from erasing the operation behavior by canceling environment variables and deleting history records after logging in the system, and provide complete original data for security audit and emergency response.

This article is an original article of suspension mirror safety laboratory. If you need to reprint it, please mark:http://lab.xmirror.cn/2017/05…

Who moved my mainframe? Use the history command flexibly