12

Would it be possible to securely store all issued shell commands (.bash_history etc) in a block chain to prevent users from modifying their history?

I'd be interested in implementing this for several multi user systems, though I wonder why no one seems to have adopted this idea yet. Many attacks involving shell access, in some way or another, could be traced better if the command history was accurate; malevolent users could not cover up their actions, and so on.

INV3NT3D
  • 3,987
  • 3
  • 15
  • 25
Moritz Friedrich
  • 1,495
  • 2
  • 10
  • 10
  • 1
    Is it possible: surely. Why is it not done: cost. – M'vy Sep 22 '16 at 11:59
  • 8
    Why blockchain? If you just want an unmodifiable history, just commit every command to a code repository. – billc.cn Sep 22 '16 at 12:11
  • @billc.cn you are assuming your users aren't in cahoots with the owner of the code repository. – mikeazo Sep 22 '16 at 16:02
  • 2
    blockchain only helps to prove that a particular chain is trusted, it won't stop deletion or modification of the chain. – Chaim Geretz Sep 22 '16 at 21:20
  • 2
    I feel like "blockchain" is a buzzword that people like to use just for the sake of gaining buzzword points. What's wrong with a normal database on a secured computer? – user253751 Sep 23 '16 at 01:20
  • @immibis just to clarify - I haven't had much experience with the technology yet and figured this would be a good use case for it. Using a secure, local, set-up-and-forget command history storage instead of another dedicated logging server sounds not too bad to me :) – Moritz Friedrich Sep 23 '16 at 04:27
  • 1
    @MoFriedrich Blockchains are neither local, nor set-up-and-forget, nor secure for the kind of security properties you want here. – user253751 Sep 23 '16 at 04:55
  • @immibis well, considering I'd like to have a command history not modifiable by users I only need to trace back what happened once problems arise -- why not have a network-local blockchain that stores all user's commands as transactions? – Moritz Friedrich Sep 23 '16 at 05:05
  • @MoFriedrich the answer to "why not have a network-local blockchain...?" is because a simple trusted database (or log) is better. You need trust somewhere anyway, to ensure a user can't just run a command and then not record it in the blockchain - using a blockchain doesn't give you the advantage of not needing trust. A proof-of-work blockchain needs as many miners as possible which means it's not local (generally you would tie it to the Bitcoin blockchain somehow), or you can have a blockchain using a single trusted server as a miner, but then you're back to why not use a logging server? – user253751 Sep 23 '16 at 05:20

1 Answers1

32

The shell is probably the wrong place to do a logging of commands. A user could simply execute another shell without history or execute commands read from stdin without leaving a trace in the history. Thus it does not protect a lot against malevolent users.

Instead of securing the shell history one should securely log the commands executed by a user, no matter if these are executed by the shell or not. And this should be done so that the user is not able to execute any commands without trace. There is actually already an audit framework which can do this, see System Auditing in the RHEL documentation.

And while blockchain sounds like a nice (and hype) technology: there are other technologies which provide the necessary security without all the overhead. For logging the activity of a non-privileged user it is enough to do the logging as root. In case one fears privilege escalation one can use the existing mechanisms of syslog to log to a remote server. And some syslog implementations also provide a way to sign the messages to prove their origin.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465