enablesessionhistory

Description

The enablesessionhistory() procedure is used to set the internal read-only variable pbulacasessionhistory. This is used for iologged, ACA controlled shell sessions (for example, bash). The enablesessionhistory() procedure takes a Boolean argument. Values of 1 or true will enable session history. Values of 0 or false will disable session history.

When enabled, the ACA preload library will audit additional information for the secured task (presumably a shell), giving pbreplay the ability to interpret the shell "history", within certain limitations.

Note that iolog must be set, and ACA must be enabled with at least one aca(. . . ) statement.

ACA normally exits when it encounters certain errors. When ACA is used only for session history, and no files or operations are blocked, an optional parameter can be used to cause ACA to continue when those errors are encountered. This results in the task being allowed to continue, however the session history recorded will be incomplete.

The relevant portion of the policy should be similar to:

aca("file", "default", "all");
enablesessionhistory( true, true);
iolog=<file>;

Known limitations

This mechanism cannot capture or reproduce:

  • Shell internals, such as if/then/else, while, math, variable setting or testing
  • Which builtin was used
  • 2>&1 redirection and ordering
  • Complex redirection
  • Exact quoting of argv
  • (complex) | (pipelines)
  • Exact shell history numbering

This feature adds the new --history option to pbreplay, to replay the shell’s "history" from the aca iolog. The --history option cannot be used in conjunction with the -A option).

Syntax

enablesessionhistory( enable_history  [, continue_on_error] );

Arguments

enable_history Required Boolean true or 1 to enable or false or 0 to disable.
continue_on_error Optional true or 1 to enable or false or 0 to disable. Defaults to false.

Example

enablesessionhistory( true );
enablesessionhistory( true, true );

See also

aca()

For more information about pbreplay, please see the Endpoint Privilege Management for Unix and Linux Administration Guide.