~/.bash_profileand~/.bashrcare executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.~/.bash_profileis executed for login shells and~/.bashrcis executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH),~/.bash_profileis executed before the initial command prompt is returned to the user. After that, every time a new shell is opened,~/.bashrcis executed. This allows users more fine grained control over when they want certain commands executed.Mac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling
each time instead of/.bash_profile/.bashrc.These files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).
echo "#{command_to_add}" >> ~/.bashrc
echo "#{command_to_add}" >> ~/.bash_profile
echo "/home/ec2-user/welcome.sh" >>~/.bash_profile
echo "/home/ec2-user/welcome.sh" >>~/.bashrc
auditlogs (audit.rules)
bash_history logs
index=linux sourcetype=linux_audit bashrc_changes
-w /home/ec2-user/.bashrc -p wa -k bashrc_changes
-w /home/ec2-user/.bash_profile -p wa -k bashrc_changes
index=linux sourcetype=bash_history bash_command="nano .bashrc" OR bash_command="vi .bashrc" OR echo .bashrc | table host,user_name,bash_command
index=linux sourcetype=bash_history bash_command="nano .bashrc_profile" OR bash_command="vi .bashrc_profile" OR echo .bashrc_profile | table host,user_name,bash_command
We need to add audit rules for each users' bashrc & bash_profile files under their home locations.Wildcard expression () is not accepted in the audit.rules so we can NOT create a rule that watches the path = /home//.bash_history