Path: csiph.com!xmission!news.glorb.com!usenet.stanford.edu!not-for-mail From: aixtools Newsgroups: gnu.bash.bug Subject: Re: Feature Request re: syslog and bashhist Date: Wed, 12 Aug 2015 20:48:58 +0200 Lines: 51 Approved: bug-bash@gnu.org Message-ID: References: <55C78FC8.1050609@gmail.com> <55C9073C.3030203@case.edu> <55CB47FA.2000104@case.edu> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: usenet.stanford.edu 1439405347 19403 208.118.235.17 (12 Aug 2015 18:49:07 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bug-bash@gnu.org To: chet.ramey@case.edu Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=aGZsIt0SyATS1mKchUCCp44G7HlW6ubVEpz6GxOlF/4=; b=E3jyrUuG4Sq8SaNsHGketvWj/LHGM6DbO85roXvQYJuUyqTjfiN4L8BWV9h/skYPOk Jsfl2PJkaDp7XcYWevQe9CH2l//iVy8PWQihRbue27wMTR/CLM0Upr7DjoY2O9BHqoox kPSaE6jVje5Bbo48aErui8eXV8OQ8EyDC+keahxIRA2GkojwpUtU5FReJArj8p5hD/7W FdsHHZCNKoRqvaFqoUkTL6XofAKXDbMqYsBelZ/JOHSEQn6RKCFY/E6IMM/teblLYXKB +96dMWwFKqP4owj8Zlx5Kfi7WzWxK2BT61N/zniaEALSulnoTPb1ZqzSVEj5uEhQMTpt Os0A== X-Received: by 10.180.207.242 with SMTP id lz18mr47390989wic.66.1439405340473; Wed, 12 Aug 2015 11:49:00 -0700 (PDT) User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 In-Reply-To: <55CB47FA.2000104@case.edu> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c05::22b X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:11332 On 2015-08-12 3:19 PM, Chet Ramey wrote: > On 8/12/15 8:09 AM, Aharon Robbins wrote: >> In article, >> aixtools wrote: >>> In short, having it included in ./configure simply give it much more >>> visibility - and perhaps adoption. >> Personally, I think that having bash send executed commands to syslog >> is an invasion of privacy; I'm surprised such a feature is even there >> at all... > And this is why it's not easy to turn on. It's there for that small > set of system administrators who need it to satisfy some external > auditing requirement (in some cases legally required) -- that's why it's > available in the first place. > I guess my customer set all fall into this category. And it is not fail safe - anyone willing, or able to use another shell can execute a program such as vi, and then use a shell escape to start a different shell that is not logging. Which is why auditing is used, which is involuntary from an application perspective. So, referring back to John's addition, this would be useful for case #2. Where it could be useful for case #3 - would be if bash had (or maybe has) an option to display the configure arguments (which generally does not include -D flags), such as perl -V, or httpd -V. Basically, if you have nothing to hide - it should not matter. More likely, it is a mechanism that can prove your innocence should there ever be any doubt about what you did, or did not do. Even in Germany - which has the reputation for most "protective" privacy laws. To meet PCI compliance and others (I think even government in some sectors) - all commands are stored in order to perform an audit in the case of a suspected security breach. In any case, I understand that it is a sensitive topic - not one that I will be deciding. I guess it might be worth a discussion to be able to see from a command-line option to know, one way or the other if the feature is (potentially) active. In short - Chet - as if I had a choice :p @ me - I bow to your wisdom!