Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #11332

Re: Feature Request re: syslog and bashhist

From aixtools <aixtools@gmail.com>
Newsgroups gnu.bash.bug
Subject Re: Feature Request re: syslog and bashhist
Date 2015-08-12 20:48 +0200
Message-ID <mailman.8218.1439405347.904.bug-bash@gnu.org> (permalink)
References <55C78FC8.1050609@gmail.com> <55C9073C.3030203@case.edu> <mailman.8184.1439375524.904.bug-bash@gnu.org> <mqfd1l$flc$1@dont-email.me> <55CB47FA.2000104@case.edu>

Show all headers | View raw

On 2015-08-12 3:19 PM, Chet Ramey wrote:
> On 8/12/15 8:09 AM, Aharon Robbins wrote:
>> In article<mailman.8184.1439375524.904.bug-bash@gnu.org>,
>> aixtools<aixtools@gmail.com>  wrote:
>>> In short, having it included in ./configure simply give it much more
>>> visibility - and perhaps adoption.
>> Personally, I think that having bash send executed commands to syslog
>> is an invasion of privacy; I'm surprised such a feature is even there
>> at all...
> And this is why it's not easy to turn on.  It's there for that small
> set of system administrators who need it to satisfy some external
> auditing requirement (in some cases legally required) -- that's why it's
> available in the first place.
>
I guess my customer set all fall into this category.

And it is not fail safe - anyone willing, or able to use another shell 
can execute
a program such as vi, and then use a shell escape to start a different 
shell that is not logging.
Which is why auditing is used, which is involuntary from an application 
perspective.

So, referring back to John's addition, this would be useful for case #2.

Where it could be useful for case #3 - would be if bash had (or maybe 
has) an option to display
the configure arguments (which generally does not include -D flags), 
such as perl -V, or httpd -V.

Basically, if you have nothing to hide - it should not matter. More 
likely, it is a mechanism that
can prove your innocence should there ever be any doubt about what you 
did, or did not do.

Even in Germany - which has the reputation for most "protective" privacy 
laws. To meet PCI compliance
and others (I think even government in some sectors) - all commands are 
stored in order to perform an
audit in the case of a suspected security breach.

In any case, I understand that it is a sensitive topic - not one that I 
will be deciding.

I guess it might be worth a discussion to be able to see from a 
command-line option to know, one way or the other
if the feature is (potentially) active.

In short - Chet - as if I had a choice :p @ me - I bow to your wisdom!

Back to gnu.bash.bug | Previous | NextPrevious in thread | Find similar

Thread

Re: Feature Request re: syslog and bashhist aixtools <aixtools@gmail.com> - 2015-08-12 12:31 +0200
  Re: Feature Request re: syslog and bashhist arnold@skeeve.com (Aharon Robbins) - 2015-08-12 12:09 +0000
    Re: Feature Request re: syslog and bashhist Greg Wooledge <wooledg@eeg.ccf.org> - 2015-08-12 09:06 -0400
    Re: Feature Request re: syslog and bashhist Chet Ramey <chet.ramey@case.edu> - 2015-08-12 09:19 -0400
    Re: Feature Request re: syslog and bashhist aixtools <aixtools@gmail.com> - 2015-08-12 20:48 +0200

csiph-web