[Bug] Tampering of Bash Command-Line History #92
Description
Describe the bug
The "Tampering of Bash Command-Line History" rule has logic to detect the use of commands: export, set, unset and history. These specific commands are bash shell builtins, which doesn't start a process, while the rule checks for process start/process_started events. Those builtin commands are also not logged by the Elastic agent. When performing tests for this rule, and executing those specific commands with their matchting arguments doesn't trigger alerts for this rule (other commands covered by the rule do trigger alerts).
To Reproduce
Steps to reproduce the behavior:
- Execute one of the commands export, set, unset, history with the matchting arguments covered in the rule. Like: set +o history
- Check events and alerts being logged.
- No event is logged and no alert is triggered.
Expected behavior
As far as I know Elastic doesn't log bash shell builtin commands. And as those builtin command doesn't start a process, no alerts are triggered. So I wonder why the rule tries to detect these commands. Is there a way to make Elastic trigger on those builtin commands? The only way I could think of is using bash -c "command". But that's not obvious and not covering adversary behaviour using it directly in bash.
Desktop (please complete the following information):
- OS: Linux
- Version: any