1

We are going through a process to make our linux servers more secure following a scan. I notice that on some of the machines, we now have lines like:

LANG=C; printf "priv_escl_start_%s" "[random 8 alnum]"; su root -c 'printf "command_start_%s" "[random 8 alnum]"; LC_ALL=C cat '\''/proc/31434/cmdline'\'' 2>/dev/null; printf "command_done_%s" "[random 8 alnum]"'; printf "priv_escl_end_%s" "[random 8 alnum]"

which spam the history file for root. For this reason, it's impossible to know what was run by root previously since these messages easily outgrow HISTSIZE. I'm not entirely sure which change to what file enabled the privelege start/end to history. I don't mind logging, but not to the history file.

Johnny Doe
  • 79
  • 1
  • 10
  • Are you sure there isn't useful information in /var/log as to who is doing what? Examples might be: /var/log/secure, /var/log/audit (though files in that directory may want some additional tools for parsing), and the like? – Slartibartfast Oct 22 '19 at 03:25
  • /var/log/audit/audit.log mainly shows a lot of CRYPTO_KEY_USER, USER_START, and CRED_REFR entries. /var/log/secure mainly shows that FIPS is enabled and some failures by a Nessus scanner attempting bad creds and the occasional ssh successful login. – Johnny Doe Oct 22 '19 at 16:57
  • Did you ever figure this out? – Marc C Aug 16 '23 at 18:56

0 Answers0