[Pauldotcom] Archiving History files
doj at primeinfosec.com
Tue Jan 19 15:46:55 UTC 2010
Monkey Daemon wrote:
> I've just discovered a system on which one of our darling users has
> decided adding a script to his .bash_logout file that removes
> .bash_history on logout is a clever thing to do.
> Is there a way to take a copy of the .bash_history file before it is
> deleted? This user obviously has something to hide as far as I'm
> concerned, so I need to archive this file to present it as evidence.
How about compiling a custom version of bash that writes the history
file out to an alternate location? I have used that technique in the
past for a similar situation and it was quite effective. There is little
chance someone would suspect a 'trojaned' shell, typically.
More information about the Pauldotcom