Detailed Loging As Users sudo to Shared Account and continue to work
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Can Sudo Activity Peformed by a Shared Account (after a su) be Associated with a Unique User ID
Detailed Loging As Users sudo to Shared Account and continue to work
My users are using Red Hat Enterprise Linux 6. My goal is to differentate what users are performing sudo activity, after they su "to" a shared account. Below is the process my users peform:
Step 1 users loign with there unique user credentials
Step 2 users then su to a shared account
Step 3 As the shared account users peform sudo activity
In step 1 and 2 I have an audit trail of which unique user logged in and which unique user preformed an su and to what account.
In step 3 my audits only record that the shared account peformed sudo activity and it records what sudo activity, in /var/log/secure. The problem is I can not trace back step 3 to a unique user, and instead all the sudo activity is being recorded as being peformed as the shared account. This recording and type of recording is driven by the rsyslog.conf file (sylog.conf in Red Hat 5) and is performing what it is designed to do. I'm asking that the system record in further detail the unique user that is emulating the shared account. A good example of where this is being recored is the in audit.log (/var/log/audit/audit.log). In the audit.log it actually records activity generated by a unique user (auid - actual user id) along with the group id (guid), sudo id, etc. Essentally the audit.log records in the record the unique user along with who the user was emulating and what commands were executed or files accessed. Unfortuneately audit.log is not desinged to record general sudo activity, instead this is driven by /etc/rsyslog.conf and recorded in /var/log/secure. Does anyone now what addititonal lines I can add to the /etc/rsyslog.conf to have it list/record the unique user or UID associated with the sudo activity, not just what sudo activity the shared user account performed? A million thanks, Johnny Mac
Can you track the PID or parent PID in those files?
If so, the parent of any command should be the shell that launched it, and the parent of that shell will be the original user's shell.
For example:
A user logs into the machine, they're given a shell with PID 13243
The user runs su to the shared account, they're given a shell with PID 13334, and parent PID 13243
The user runs something as sudo, it logs the PID of the process, as well as the PID of its parent (13334), which you can then cross-reference back to their original shell of 13243 and determine the original user
After provoking the system I did locate the inital PID assigned to the user login (in /var/log/secure) but after logging into the shared account and provoking a sudo event, I could not find an associated Parent PID (PPID) to this event in /var/log/secure or /var/log/audit/audit.log. The /var/log/audit/audit.log does display PPID data if I isolate activity or file access in the /etc/audit/audit.rules however, my audit.rules is focused on failed activity (such as users trying to change the date/time on the system) or all access to security relivant files (such as users trying to delete audit.log).
Should I be looking at a different log in order to find the PPID when general users who perform a succesful suod action?
I'd force users to do everything through 'rootsh' (doesn't necessarily have to be root-privileged tasks) as together with the audit service, combined with remote syslog, you may not have a concise but a (nearly) complete audit trail.
My users are using Red Hat Enterprise Linux 6. My goal is to differentate what users are performing sudo activity, after they su "to" a shared account. Below is the process my users peform:
Step 1 users loign with there unique user credentials
Step 2 users then su to a shared account
Step 3 As the shared account users peform sudo activity
In step 1 and 2 I have an audit trail of which unique user logged in and which unique user preformed an su and to what account.
In step 3 my audits only record that the shared account peformed sudo activity and it records what sudo activity, in /var/log/secure. The problem is I can not trace back step 3 to a unique user, and instead all the sudo activity is being recorded as being peformed as the shared account. This recording and type of recording is driven by the rsyslog.conf file (sylog.conf in Red Hat 5) and is performing what it is designed to do. I'm asking that the system record in further detail the unique user that is emulating the shared account. A good example of where this is being recored is the in audit.log (/var/log/audit/audit.log). In the audit.log it actually records activity generated by a unique user (auid - actual user id) along with the group id (guid), sudo id, etc. Essentally the audit.log records in the record the unique user along with who the user was emulating and what commands were executed or files accessed. Unfortuneately audit.log is not desinged to record general sudo activity, instead this is driven by /etc/rsyslog.conf and recorded in /var/log/secure. Does anyone now what addititonal lines I can add to the /etc/rsyslog.conf to have it list/record the unique user or UID associated with the sudo activity, not just what sudo activity the shared user account performed? A million thanks, Johnny Mac
To solve this problem, you should use the commercial CaclMgr software, that's a more secure solution and you can achieve the desired result by creating a special group, and put those accounts in that group, and then use CaclMgr to grant that group to have root or dba and app admin privilege to run certain commands, scripts.
There is a test machine with CaclMgr available for public to test, available at 54.186.62.42, can use ssh to login to account "roger" with password "roger098".
I opened a few pages related to the software and they are all broken. I'd ignore that software(caclmgr), since they can't even keep their web pages up.
We needed a secure privilege delegation software.
In the past, we evaluated sudo, but at that time, we found sudo had provided too many options, that's bad thing for maintain security for user to use the software and also more complicated software could have more bugs. We also monitored the bug fixes of the software, found a lot of the bugs fixed were related with security, so this software has a bad reputation for security.
We found the CaclMgr software many years ago, and tested it and compared with sudo, found it provided a lot of help to maintain privilege delegation security, just an example, when we need to grant DBA privilege to a user to run a script, we just need to use a dba account to do so, and if by mistake the script permission was not set up properly, the target user can modify it, the CaclMgr can detect it. The current version we use even can provide pretty good protection for password: with sudo, when the software prompts user to enter password, the password can be stolen by malicious person if that person can run strace to attach to the process, or by reading the tty that user uses. CaclMgr can detect those attacks. Even the logs generated CaclMgr will be more trustworthy than the logs generated by sudo by default.
I have used linux since slackware 1.0. Some people believe open source will make sofwtare more secure, but from the sudo problem, the OpenSSH Ebury problem, and now the openssl heartbleed problem, they just tell the opposite stories: those are very popular software, have many vendors include those software in their distributions, should have many security people checked the codes.
So, my conclusion is whether a software will be more secure or not is not very related with whether it's open source or not, it's more related with who are the developers.
I opened a few pages related to the software and they are all broken. I'd ignore that software(caclmgr), since they can't even keep their web pages up.
Now obviously I have a slight advantage over regular forum users but calculate the odds of you dodging my questions but still having a favorable reply posted to my question within 24 hours? That's called using a shill, Roger Gong, and it makes your efforts all the more suspect.
I'm a UNIX/Linux technical person, interested in security related stuff
Quote:
Originally Posted by unSpawn
Now obviously I have a slight advantage over regular forum users but calculate the odds of you dodging my questions but still having a favorable reply posted to my question within 24 hours? That's called using a shill, Roger Gong, and it makes your efforts all the more suspect.
For security technical issue, I try to understand it and try to find solution, and if people face the same issue, I would tell them what I already know.
No you don't. I'd say you're just here to advertise your closed source, commercially licensed software and dodging any questions about it.
Please do not do that anymore on LQ unless you have reached prior agreement with Jeremy, LQ's owner, allowing you to advertise your socalled "software".
Are you saying if a problem's solution involves commercial software
Quote:
Originally Posted by unSpawn
No you don't. I'd say you're just here to advertise your closed source, commercially licensed software and dodging any questions about it.
Please do not do that anymore on LQ unless you have reached prior agreement with Jeremy, LQ's owner, allowing you to advertise your socalled "software".
Do note that actually getting permission to promote your software does not detract from the fact that your software is closed source (and therefore a liability as it is not open to public scrutiny), that you categorically dodge any requests for clarification and that you are using highly questionable tactics to promote it (scaremongering, shill). Do you understand what I am saying?
We needed a secure privilege delegation software.
In the past, we evaluated sudo, but at that time, we found sudo had provided too many options, that's bad thing for maintain security for user to use the software and also more complicated software could have more bugs.
The options are there to give the administrator the ability to do what is required.
Quote:
We also monitored the bug fixes of the software, found a lot of the bugs fixed were related with security, so this software has a bad reputation for security.
Considering that the software is aimed at security, ALL bugs fixed would be related to security.
Quote:
We found the CaclMgr software many years ago, and tested it and compared with sudo, found it provided a lot of help to maintain privilege delegation security, just an example, when we need to grant DBA privilege to a user to run a script, we just need to use a dba account to do so, and if by mistake the script permission was not set up properly, the target user can modify it, the CaclMgr can detect it.
Allowing the user to change anything about the script is considered a security violation. And since you depend on CaclMgr to detect it after the fact means it is already too late.
Quote:
The current version we use even can provide pretty good protection for password: with sudo, when the software prompts user to enter password, the password can be stolen by malicious person if that person can run strace to attach to the process, or by reading the tty that user uses. CaclMgr can detect those attacks.
If a "person can run strace to attch to the process" using passwd, then your system has already been compromised, and it doesn't matter what else you have as that person has root.
Quote:
Even the logs generated CaclMgr will be more trustworthy than the logs generated by sudo by default.
Ah no. if a person hacks root they can do damn well whatever they want to. And no local log files are safe.
Quote:
I have used linux since slackware 1.0. Some people believe open source will make sofwtare more secure, but from the sudo problem, the OpenSSH Ebury problem, and now the openssl heartbleed problem, they just tell the opposite stories: those are very popular software, have many vendors include those software in their distributions, should have many security people checked the codes.
Just because the people auditing the software missed something does not mean they weren't looking. Proprietary software still has more bugs per unit of code than open source code. Mostly because fewer people are looking for problems. People that write software are frequently too focused on the problem they are solving, and don't spot exceptions. That is why automated testing helps - though the testing tools can only detect what they were programmed to detect.
Quote:
So, my conclusion is whether a software will be more secure or not is not very related with whether it's open source or not, it's more related with who are the developers.
It is more secure. And if you don't feel it is, audit the code yourself. Prove it is not as secure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.