From a867885a4d760d7872c0284e080dcb652f3c9e4f Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 1 Oct 2014 21:18:28 -0400 Subject: [PATCH 01/11] Create histprotect.sh Exceptionally weak commit --- histprotect/histprotect.sh | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 histprotect/histprotect.sh diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh new file mode 100644 index 0000000..32a1cce --- /dev/null +++ b/histprotect/histprotect.sh @@ -0,0 +1,2 @@ +#/bin/bash +echo HistProtect at le service! From 5b93e0097688371187ebcfb4b6fa63ea72b07718 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 07:57:27 -0400 Subject: [PATCH 02/11] Secure root In the future: iterate through ls /home/, apply it to all of those then in the further future: ensure it exists --- histprotect/histprotect.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index 32a1cce..238b957 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -1,2 +1,23 @@ #/bin/bash echo HistProtect at le service! +echo Straight up stolen from StackOverflow +echo But it gets the job done so why would I rewrite it +echo Making append-only +chattr +a /root/.bash_history +chattr +a /root/.bash_profile +chattr +a /root/.bash_login +chattr +a /root/.profile +chattr +a /root/.bash_logout +chattr +a /root/.bashrc +echo Hardening environment variables +shopt -s histappend + echo "readonly PROMPT_COMMAND=\"history -a\"" >> /root/.bashrc +echo readonly HISTFILE >> /root/.bashrc +echo readonly HISTFILESIZE >> /root/.bashrc +echo readonly HISTSIZE >> /root/.bashrc +echo readonly HISTCMD >> /root/.bashrc +echo readonly HISTCONTROL >> /root/.bashrc +echo readonly HISTIGNORE >> /root/.bashrc +chmod 750 csh +chmod 750 tcsh +chmod 750 ksh From 4e29a32703bcf4afd68c9b52f11ad1bdeec142b4 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:11:44 -0400 Subject: [PATCH 03/11] iterate through any other histories do a root find --- histprotect/histprotect.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index 238b957..34e395e 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -21,3 +21,16 @@ echo readonly HISTIGNORE >> /root/.bashrc chmod 750 csh chmod 750 tcsh chmod 750 ksh + +echo Protecting any other users on the system +for i in $(find / -name .bash_history); do +chattr +a $i +done +for i in $(find / -name .bashrc); do +echo readonly HISTFILE >> $i +echo readonly HISTFILESIZE >> $i +echo readonly HISTSIZE >> $i +echo readonly HISTCMD >> $i +echo readonly HISTCONTROL >> $i +echo readonly HISTIGNORE >> $i +done From 46d1ecdd7fc27dc93d01e19df79ff98b3ecb71fc Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:12:36 -0400 Subject: [PATCH 04/11] Update histprotect.sh --- histprotect/histprotect.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index 34e395e..a09f399 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -27,6 +27,7 @@ for i in $(find / -name .bash_history); do chattr +a $i done for i in $(find / -name .bashrc); do + echo "readonly PROMPT_COMMAND=\"history -a\"" >> $i echo readonly HISTFILE >> $i echo readonly HISTFILESIZE >> $i echo readonly HISTSIZE >> $i From 6e7480382ea7a245d07c77484aa447773fcce357 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:23:50 -0400 Subject: [PATCH 05/11] check files, include more Check for files before it writes and include files in for loop --- histprotect/histprotect.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index a09f399..d91798c 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -3,12 +3,12 @@ echo HistProtect at le service! echo Straight up stolen from StackOverflow echo But it gets the job done so why would I rewrite it echo Making append-only -chattr +a /root/.bash_history -chattr +a /root/.bash_profile -chattr +a /root/.bash_login -chattr +a /root/.profile -chattr +a /root/.bash_logout -chattr +a /root/.bashrc +if [ -f /root/.bash_history ] ; then chattr +a /root/.bash_history ; fi +if [ -f /root/.bash_profile ] ; then chattr +a /root/.bash_profile ; fi +if [ -f /root/.bash_login ] ; then chattr +a /root/.bash_login ; fi +if [ -f /root/.profile ] ; then chattr +a /root/.profile ; fi +if [ -f /root/.bash_logout ] ; then chattr +a /root/.bash_logout ; fi +if [ -f /root/.bashrc ] ; then chattr +a /root/.bashrc ; fi echo Hardening environment variables shopt -s histappend echo "readonly PROMPT_COMMAND=\"history -a\"" >> /root/.bashrc @@ -23,8 +23,8 @@ chmod 750 tcsh chmod 750 ksh echo Protecting any other users on the system -for i in $(find / -name .bash_history); do -chattr +a $i +for i in $(find / -type f \( -name .bash_history -o -name .bashrc \)); do +if [ -f $i ] ; then chattr +a $i ; fi done for i in $(find / -name .bashrc); do echo "readonly PROMPT_COMMAND=\"history -a\"" >> $i From 79963d304902ff83ca7a4abcc865789895389b5f Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:24:18 -0400 Subject: [PATCH 06/11] Update histprotect.sh --- histprotect/histprotect.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index d91798c..da6a2aa 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -1,6 +1,8 @@ #/bin/bash echo HistProtect at le service! -echo Straight up stolen from StackOverflow +echo Straight up stolen from StackOverflow, then improved +# http://superuser.com/questions/308882/secured-bash-history-usage +echo MOST of this is tested echo But it gets the job done so why would I rewrite it echo Making append-only if [ -f /root/.bash_history ] ; then chattr +a /root/.bash_history ; fi From a47c3249cc6ce7820917bc4fc4ffc63b35342213 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:27:20 -0400 Subject: [PATCH 07/11] Update README.md --- histprotect/README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/histprotect/README.md b/histprotect/README.md index 1ee41d5..11c7a61 100644 --- a/histprotect/README.md +++ b/histprotect/README.md @@ -5,11 +5,15 @@ This script will automatically take the required steps necessary to lock down .b Features: -* Mark .bash_history as append-only -* Make sure that the HISTFILE variable is read-only. +* Mark .bash_history as append-only✓ +* Make sure that the HISTFILE variable is read-only.✓ * Check to see if the user is echoing fake history to the file. * Prevent .bash_history from being read by other users. * Intelligent auto protect mode. * Plus more! -Coming soon \ No newline at end of file +Coming soon + +============== +Some improvements & the create made by Marshall Academy Cyber in an effort to provide to upstream projects in a FOSS movement +Contact us via statesmencybersecurity.org if needed From fad0728add399547b3c44abbf1670b388587c8a2 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:43:16 -0400 Subject: [PATCH 08/11] Chmod it Set it to proper permissions --- histprotect/histprotect.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index da6a2aa..f742a7b 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -26,7 +26,8 @@ chmod 750 ksh echo Protecting any other users on the system for i in $(find / -type f \( -name .bash_history -o -name .bashrc \)); do -if [ -f $i ] ; then chattr +a $i ; fi +if [ -f $i ] ; then chmod 600 $i; chattr +a $i ; fi + done for i in $(find / -name .bashrc); do echo "readonly PROMPT_COMMAND=\"history -a\"" >> $i @@ -37,3 +38,6 @@ echo readonly HISTCMD >> $i echo readonly HISTCONTROL >> $i echo readonly HISTIGNORE >> $i done + +echo "for i in \$(find / -type f \( -name .bash_history \)); do cat $i | grep \"history -c\" ; done >> /dev/null" >> /root/.bashrc +if [ $? -eq 1 ] ; then echo History clear detected; fi From 71681e6d9a199c28d01633c8cc430b314c5c6cd7 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 08:43:19 -0400 Subject: [PATCH 09/11] Chmod it Set it to proper permissions From 0053fb5d6a7357f8d0bedcd5a4fa35c8ffe3c8f9 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 09:28:56 -0400 Subject: [PATCH 10/11] Update README.md --- histprotect/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/histprotect/README.md b/histprotect/README.md index 11c7a61..1fe9960 100644 --- a/histprotect/README.md +++ b/histprotect/README.md @@ -7,8 +7,8 @@ Features: * Mark .bash_history as append-only✓ * Make sure that the HISTFILE variable is read-only.✓ -* Check to see if the user is echoing fake history to the file. -* Prevent .bash_history from being read by other users. +* Check to see if the user is echoing fake history to the file.✓ +* Prevent .bash_history from being read by other users.✓ * Intelligent auto protect mode. * Plus more! From 495cb2c7fb06bb7af6f629b304186b14545f0662 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 2 Oct 2014 10:04:46 -0400 Subject: [PATCH 11/11] Update histprotect.sh --- histprotect/histprotect.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/histprotect/histprotect.sh b/histprotect/histprotect.sh index f742a7b..e83eccf 100644 --- a/histprotect/histprotect.sh +++ b/histprotect/histprotect.sh @@ -5,6 +5,11 @@ echo Straight up stolen from StackOverflow, then improved echo MOST of this is tested echo But it gets the job done so why would I rewrite it echo Making append-only +echo Protecting any other users on the system +for i in $(find / -type f \( -name .bash_history -o -name .bashrc \)); do +if [ -f $i ] ; then chmod 600 $i; chattr +a $i ; fi + +done if [ -f /root/.bash_history ] ; then chattr +a /root/.bash_history ; fi if [ -f /root/.bash_profile ] ; then chattr +a /root/.bash_profile ; fi if [ -f /root/.bash_login ] ; then chattr +a /root/.bash_login ; fi @@ -24,11 +29,7 @@ chmod 750 csh chmod 750 tcsh chmod 750 ksh -echo Protecting any other users on the system -for i in $(find / -type f \( -name .bash_history -o -name .bashrc \)); do -if [ -f $i ] ; then chmod 600 $i; chattr +a $i ; fi -done for i in $(find / -name .bashrc); do echo "readonly PROMPT_COMMAND=\"history -a\"" >> $i echo readonly HISTFILE >> $i