LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


View Poll Results: Can Sudo Activity Peformed by a Shared Account (after a su) be Associated with a Unique User ID
Yes 0 0%
No 3 100.00%
Not without a great deal of diffuculty 0 0%
Try a different Approach 1 33.33%
Multiple Choice Poll. Voters: 3. You may not vote on this poll

Reply
  Search this Thread
Old 04-28-2014, 05:05 PM   #1
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 64

Rep: Reputation: 1
Smile Detailed Loging As Users sudo to Shared Account and continue to work


My users are using Red Hat Enterprise Linux 6. My goal is to differentate what users are performing sudo activity, after they su "to" a shared account. Below is the process my users peform:

Step 1 users loign with there unique user credentials
Step 2 users then su to a shared account
Step 3 As the shared account users peform sudo activity

In step 1 and 2 I have an audit trail of which unique user logged in and which unique user preformed an su and to what account.

In step 3 my audits only record that the shared account peformed sudo activity and it records what sudo activity, in /var/log/secure. The problem is I can not trace back step 3 to a unique user, and instead all the sudo activity is being recorded as being peformed as the shared account. This recording and type of recording is driven by the rsyslog.conf file (sylog.conf in Red Hat 5) and is performing what it is designed to do. I'm asking that the system record in further detail the unique user that is emulating the shared account. A good example of where this is being recored is the in audit.log (/var/log/audit/audit.log). In the audit.log it actually records activity generated by a unique user (auid - actual user id) along with the group id (guid), sudo id, etc. Essentally the audit.log records in the record the unique user along with who the user was emulating and what commands were executed or files accessed. Unfortuneately audit.log is not desinged to record general sudo activity, instead this is driven by /etc/rsyslog.conf and recorded in /var/log/secure. Does anyone now what addititonal lines I can add to the /etc/rsyslog.conf to have it list/record the unique user or UID associated with the sudo activity, not just what sudo activity the shared user account performed? A million thanks, Johnny Mac
 
Old 04-28-2014, 05:16 PM   #2
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Can you track the PID or parent PID in those files?

If so, the parent of any command should be the shell that launched it, and the parent of that shell will be the original user's shell.

For example:
A user logs into the machine, they're given a shell with PID 13243
The user runs su to the shared account, they're given a shell with PID 13334, and parent PID 13243
The user runs something as sudo, it logs the PID of the process, as well as the PID of its parent (13334), which you can then cross-reference back to their original shell of 13243 and determine the original user
 
Old 04-29-2014, 08:28 AM   #3
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 64

Original Poster
Rep: Reputation: 1
Smile Attempted to locate PID and Parent PID

After provoking the system I did locate the inital PID assigned to the user login (in /var/log/secure) but after logging into the shared account and provoking a sudo event, I could not find an associated Parent PID (PPID) to this event in /var/log/secure or /var/log/audit/audit.log. The /var/log/audit/audit.log does display PPID data if I isolate activity or file access in the /etc/audit/audit.rules however, my audit.rules is focused on failed activity (such as users trying to change the date/time on the system) or all access to security relivant files (such as users trying to delete audit.log).

Should I be looking at a different log in order to find the PPID when general users who perform a succesful suod action?

A million thanks in advance,
Johnnn Mac
 
Old 04-30-2014, 04:49 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
I'd force users to do everything through 'rootsh' (doesn't necessarily have to be root-privileged tasks) as together with the audit service, combined with remote syslog, you may not have a concise but a (nearly) complete audit trail.
 
Old 05-01-2014, 06:28 AM   #5
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 13

Rep: Reputation: Disabled
Thumbs up

Quote:
Originally Posted by johnmccarthy View Post
My users are using Red Hat Enterprise Linux 6. My goal is to differentate what users are performing sudo activity, after they su "to" a shared account. Below is the process my users peform:

Step 1 users loign with there unique user credentials
Step 2 users then su to a shared account
Step 3 As the shared account users peform sudo activity

In step 1 and 2 I have an audit trail of which unique user logged in and which unique user preformed an su and to what account.

In step 3 my audits only record that the shared account peformed sudo activity and it records what sudo activity, in /var/log/secure. The problem is I can not trace back step 3 to a unique user, and instead all the sudo activity is being recorded as being peformed as the shared account. This recording and type of recording is driven by the rsyslog.conf file (sylog.conf in Red Hat 5) and is performing what it is designed to do. I'm asking that the system record in further detail the unique user that is emulating the shared account. A good example of where this is being recored is the in audit.log (/var/log/audit/audit.log). In the audit.log it actually records activity generated by a unique user (auid - actual user id) along with the group id (guid), sudo id, etc. Essentally the audit.log records in the record the unique user along with who the user was emulating and what commands were executed or files accessed. Unfortuneately audit.log is not desinged to record general sudo activity, instead this is driven by /etc/rsyslog.conf and recorded in /var/log/secure. Does anyone now what addititonal lines I can add to the /etc/rsyslog.conf to have it list/record the unique user or UID associated with the sudo activity, not just what sudo activity the shared user account performed? A million thanks, Johnny Mac
To solve this problem, you should use the commercial CaclMgr software, that's a more secure solution and you can achieve the desired result by creating a special group, and put those accounts in that group, and then use CaclMgr to grant that group to have root or dba and app admin privilege to run certain commands, scripts.
There is a test machine with CaclMgr available for public to test, available at 54.186.62.42, can use ssh to login to account "roger" with password "roger098".
 
Old 05-01-2014, 02:44 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by wzis View Post
you should use the commercial CaclMgr software,
Why should one favor closed source, commercially licensed software?
Are you incidentally the vendor, creator or reseller of said software?


Quote:
Originally Posted by wzis View Post
that's a more secure solution
"More secure" than what? Please explain objectively, in detail and without hyping a certain product?
 
Old 05-01-2014, 02:48 PM   #7
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,774
Blog Entries: 1

Rep: Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339
I opened a few pages related to the software and they are all broken. I'd ignore that software(caclmgr), since they can't even keep their web pages up.
 
Old 05-01-2014, 07:15 PM   #8
unixabc
LQ Newbie
 
Registered: May 2014
Posts: 1

Rep: Reputation: 1
Smile We have used CaclMgr for many years

We needed a secure privilege delegation software.
In the past, we evaluated sudo, but at that time, we found sudo had provided too many options, that's bad thing for maintain security for user to use the software and also more complicated software could have more bugs. We also monitored the bug fixes of the software, found a lot of the bugs fixed were related with security, so this software has a bad reputation for security.
We found the CaclMgr software many years ago, and tested it and compared with sudo, found it provided a lot of help to maintain privilege delegation security, just an example, when we need to grant DBA privilege to a user to run a script, we just need to use a dba account to do so, and if by mistake the script permission was not set up properly, the target user can modify it, the CaclMgr can detect it. The current version we use even can provide pretty good protection for password: with sudo, when the software prompts user to enter password, the password can be stolen by malicious person if that person can run strace to attach to the process, or by reading the tty that user uses. CaclMgr can detect those attacks. Even the logs generated CaclMgr will be more trustworthy than the logs generated by sudo by default.
I have used linux since slackware 1.0. Some people believe open source will make sofwtare more secure, but from the sudo problem, the OpenSSH Ebury problem, and now the openssl heartbleed problem, they just tell the opposite stories: those are very popular software, have many vendors include those software in their distributions, should have many security people checked the codes.
So, my conclusion is whether a software will be more secure or not is not very related with whether it's open source or not, it's more related with who are the developers.
 
1 members found this post helpful.
Old 05-02-2014, 01:45 AM   #9
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 13

Rep: Reputation: Disabled
Probably you looked at the old site?

Quote:
Originally Posted by szboardstretcher View Post
I opened a few pages related to the software and they are all broken. I'd ignore that software(caclmgr), since they can't even keep their web pages up.
the wzce site is over 10 years old, out-dated.
 
Old 05-02-2014, 02:32 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by wzis View Post
the wzce site is over 10 years old, out-dated.
Now obviously I have a slight advantage over regular forum users but calculate the odds of you dodging my questions but still having a favorable reply posted to my question within 24 hours? That's called using a shill, Roger Gong, and it makes your efforts all the more suspect.
 
Old 05-02-2014, 05:24 PM   #11
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 13

Rep: Reputation: Disabled
I'm a UNIX/Linux technical person, interested in security related stuff

Quote:
Originally Posted by unSpawn View Post
Now obviously I have a slight advantage over regular forum users but calculate the odds of you dodging my questions but still having a favorable reply posted to my question within 24 hours? That's called using a shill, Roger Gong, and it makes your efforts all the more suspect.
For security technical issue, I try to understand it and try to find solution, and if people face the same issue, I would tell them what I already know.
 
Old 05-03-2014, 05:10 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
No you don't. I'd say you're just here to advertise your closed source, commercially licensed software and dodging any questions about it.
Please do not do that anymore on LQ unless you have reached prior agreement with Jeremy, LQ's owner, allowing you to advertise your socalled "software".
 
Old 05-03-2014, 07:13 PM   #13
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 13

Rep: Reputation: Disabled
Are you saying if a problem's solution involves commercial software

Quote:
Originally Posted by unSpawn View Post
No you don't. I'd say you're just here to advertise your closed source, commercially licensed software and dodging any questions about it.
Please do not do that anymore on LQ unless you have reached prior agreement with Jeremy, LQ's owner, allowing you to advertise your socalled "software".
It's not allowed to be presented here?
 
Old 05-04-2014, 05:27 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by wzis View Post
Are you saying if a problem's solution involves commercial software it's not allowed to be presented here?
If you want to advertise on Linuxquestions.org then you need to get permission: you start the process by sending Jeremy a message.

Do note that actually getting permission to promote your software does not detract from the fact that your software is closed source (and therefore a liability as it is not open to public scrutiny), that you categorically dodge any requests for clarification and that you are using highly questionable tactics to promote it (scaremongering, shill). Do you understand what I am saying?
 
Old 05-04-2014, 08:10 AM   #15
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by unixabc View Post
We needed a secure privilege delegation software.
In the past, we evaluated sudo, but at that time, we found sudo had provided too many options, that's bad thing for maintain security for user to use the software and also more complicated software could have more bugs.
The options are there to give the administrator the ability to do what is required.
Quote:
We also monitored the bug fixes of the software, found a lot of the bugs fixed were related with security, so this software has a bad reputation for security.
Considering that the software is aimed at security, ALL bugs fixed would be related to security.
Quote:
We found the CaclMgr software many years ago, and tested it and compared with sudo, found it provided a lot of help to maintain privilege delegation security, just an example, when we need to grant DBA privilege to a user to run a script, we just need to use a dba account to do so, and if by mistake the script permission was not set up properly, the target user can modify it, the CaclMgr can detect it.
Allowing the user to change anything about the script is considered a security violation. And since you depend on CaclMgr to detect it after the fact means it is already too late.
Quote:
The current version we use even can provide pretty good protection for password: with sudo, when the software prompts user to enter password, the password can be stolen by malicious person if that person can run strace to attach to the process, or by reading the tty that user uses. CaclMgr can detect those attacks.
If a "person can run strace to attch to the process" using passwd, then your system has already been compromised, and it doesn't matter what else you have as that person has root.
Quote:
Even the logs generated CaclMgr will be more trustworthy than the logs generated by sudo by default.
Ah no. if a person hacks root they can do damn well whatever they want to. And no local log files are safe.
Quote:
I have used linux since slackware 1.0. Some people believe open source will make sofwtare more secure, but from the sudo problem, the OpenSSH Ebury problem, and now the openssl heartbleed problem, they just tell the opposite stories: those are very popular software, have many vendors include those software in their distributions, should have many security people checked the codes.
Just because the people auditing the software missed something does not mean they weren't looking. Proprietary software still has more bugs per unit of code than open source code. Mostly because fewer people are looking for problems. People that write software are frequently too focused on the problem they are solving, and don't spot exceptions. That is why automated testing helps - though the testing tools can only detect what they were programmed to detect.
Quote:
So, my conclusion is whether a software will be more secure or not is not very related with whether it's open source or not, it's more related with who are the developers.
It is more secure. And if you don't feel it is, audit the code yourself. Prove it is not as secure.

Then offer the patches to make it more secure.

That is how open source improves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] I can't make partial sudo account work on ubuntu server 10.04 Highjo Linux - Server 3 03-04-2014 10:12 AM
Any detailed instruction to remote debug shared library in QtCreator in Linux ? 5883 Programming 7 12-24-2013 02:12 PM
howto log usage of shared account (root account) after `sudo su -` drManhattan Linux - Server 5 09-30-2011 08:48 AM
Can't use sudo, only account that's not root is not a sudo'ers [Ubuntu 9.10] randyriver10 Linux - Desktop 1 01-09-2010 08:56 PM
running mail server and loging other users in same time WannaLearnLinux Linux - Newbie 4 04-28-2006 06:20 PM


All times are GMT -5. The time now is 01:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration