1

How can I find all places where commands are stored in plain text in the system? I would disable the logging or restrict access to.

Is it a security risk for a system if an attacker get access to all previously executed commands?

forest
  • 64,616
  • 20
  • 206
  • 257
brkroot
  • 19
  • 5
  • 1
    Commands given to what, the system shell? An SQL database manager? A screen pager? Vim? – forest May 30 '19 at 00:35
  • I think you can use all of these in the terminal. And I guess all commands will be saved in the .bash_history file. I am trying to find out where else these commands will be logged (if performed only through the terminal) – brkroot May 30 '19 at 02:46
  • 2
    Do things like `vim` or `less` history stored in their own files count? – forest May 30 '19 at 02:48
  • no. For example for less, it will store files in ~/.lesshst. But also if I use less -I , or any less command for screen navigation, those commands will be logged in bash history. I think the same commands should be stored somewhere else? – brkroot May 30 '19 at 03:01
  • I think I am asking, if there is a copy file of the .bash_history file somewhere hidden in the system, or similar file containing executed commands in the terminal – brkroot May 30 '19 at 03:03
  • Yes, most likely in unallocated space, but you need to be able to read the raw block device to find it (i.e. a regular user can't obtain it). This is a result of how bash processes history. – forest May 30 '19 at 03:04
  • a regular user could obtain root privileges and read them? if that's what you mean by regular user – brkroot May 30 '19 at 03:06
  • If a regular user got root (legitimately or otherwise), they could read the block device directly. – forest May 30 '19 at 03:07
  • please have a look on my other question to better understand my worries ( Are my passwords at risk if they are stored at my desktop?) – brkroot May 30 '19 at 03:09
  • I think I see what you mean. No that is not a secure design. Use a password manager. – forest May 30 '19 at 03:12
  • fair enough. Can you please explain why it is not a secure way, so I can improve it. I use password manager. This is just an idea I am trying. – brkroot May 30 '19 at 03:15
  • It is not secure because an attacker could try every single password-sized range of bytes from your disk and attempt to use it directly as a password, and they could do so far more quickly than if they were to just brute force it. In fact, forensic investigators actually _do_ something like that. – forest May 30 '19 at 03:17
  • thank you. but there is no password-sized ranges(unless the passwords are being stored somehow on the disk, while using them on the website. It is a 100+ long string of characters and only I know what password starts and finish where on that string. Can a Hacker break it down? Is there such tools. – brkroot May 30 '19 at 03:23
  • Yes, a hacker can break it down. You know where it starts and finishes within a very finite amount of data. For it to be secure, you would need a 2^128+ long string. That's obviously impossible. – forest May 30 '19 at 03:24
  • 1
    that's bad. So in my case it doesn't really matter where and how commands from the terminal are logged. It is just the file very much vulnerable and shouldn't store it on the disk. Thanks for answering. – brkroot May 30 '19 at 03:28

0 Answers0