Seems a little extreme, you could check other users .cshrc .tcshrc flies and see if there is a builtin mech for (history -c) in a trap or otherwise that might explain it.
If root history is a concern, audit should probably setup on that system if it runs that deep in the infrastructure before evaluating a secure level and chflags. > On Mar 31, 2020, at 13:09, Selphie Keller <selphie.kel...@gmail.com> wrote: > > You could set a higher securelevel and use system flags like: > chflags sappnd .history > Which will prevent it from being erased and only allow appending. > > On Tue, 31 Mar 2020 at 10:59, el kalin <ka...@el.net> wrote: > >> hi all... >> >> noticed that over night the shell .history file for root was emptied. the >> file is there but there is no history in it. this is unusual and it's the >> second time it happens in 2 months. it's particularly peculiar since nobody >> else has the root password for this machine. i can't see any ssh access in >> auth.log and ssh access is limited to a handful of ips... how could i >> figure out what is emptying the .history file? >> >> thanks... >> >> also, the .cshrc looks like this: >> >> set promptchars = "%#" >> >> set filec >> set history = 1000 >> set savehist = (1000 merge) >> set autolist = ambiguous >> # Use history to aid expansion >> set autoexpand >> set autorehash >> set mail = (/var/mail/$USER) >> if ( $?tcsh ) then >> bindkey "^W" backward-delete-word >> bindkey -k up history-search-backward >> bindkey -k down history-search-forward >> endif >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org >> " >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
smime.p7s
Description: S/MIME cryptographic signature