How could i find out who had rebooted my server/accessing my server at particular tim
 

Hi
i have lots of users with admin priviledge ,so someone had rebooted my server .\When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.i have more than 300 user accessing my server every min.whether i have to open.bash_history of each user profile to find the user who had reboot my server.Any help could be help full

Why would you need "lots of users" with root rights? Why not give them access via Sudo only? That restricts their privileges and logs access as well.


Linux doesn't come with an extensive audit trail configured out of the box. This means that depending on the Linux distribution and what software and services a machine is configured with you minimally have access to system and daemon logs, user login records, (maybe process accounting or even the audit service), user shell history and file system MAC times which nfo you can correlate.
*In addition to the problems that correlation poses your extra problems may be in the way you allowed users to reboot the machine (su, sudo, setuid root binaries: explain in detail please) and any tampering by users you are not aware of which may include any means of access that users configured themselves or any means that could provide illegal access.

Sorry unspawn ,Since i have not given enough info on my first post .

1.Since i have been using powerbroker instead of sudo.User execute pbrun bash and they get root access and they perform the activities.

2.i have more than 300 users of application team have root priviledge since they deploy modify some apps so i have offered them root priviledge.But to acquire root priviledge they uses pbrun bash and they give there user information before entering root priviledge .so that history seems to be stored in there users .bash_history files rather than root .bash_history.

3.OPERATING system Redhat 5.8 release

4.Since some user perform reboot getting stored in there home directory of users .bash_history.

5.Whether i have to enter each and every user and check .bash_history files to audit who had execute reboot at particular period

Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .Its very hard for me go into 300 user and find out reboot command in .bash_history of user.Please advise any easy way to find


echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile

'grep reboot /home/*/.bash_history' ?

hey ur genius man .Thanks for your help

If you want to stand a chance you should 0) export them from a central directory like /etc/profile.d/, 1) for each shell in /etc/shells and 2) set both shopt -s histappend and PROMPT_COMMAND='history -a' to facilitate flushing commands to the history file immediately. Even then you must understand that 0) the actual HISTTIMEFORMAT doesn't matter: for example as BASH logs in epoch only, 1) you may encounter shells that don't log time, 2) only new history entries get tagged but most importantly 3) a users shell history it is under control of the user meaning it can be altered, tampered with or outright deleted, ergo it can not be relied on as part of an indisputable audit trail.


With PowerBroker you get event and I/O logging. What it logs and where it logs depends on your settings and what PowerBroker daemon processes are running. I expect the default directory to be /var/log/ and the log file names start with pb.*.

With 300 people having root you don't have a chance of being able to prove who did it.

All logs are subject to tampering, and you have no security.

So even if you needed the logs for legal purposes, they are useless.

Using the command history is not likely to work very well, as it is recycled every "n" commands, where "n" is up to the user. And then, it is entirely possible for the user to disable history tracking.

Since this is a voluntary thing, you are just as likely to get a good answer by just asking "who did it?"

Unless you know exactly how his PowerBroker environment is configured I would say that's a rather bold and unfounded statement to make.

It doesn't matter. With 300 people any and all files may be modified.

I wonder why the amount of users should even enter the equation? It really is of no consequence. What matters in this case are what logging is configured (event log, I/O log), where it is configured to log to (local, remote) and the commands users are allowed to perform. Knowing that you can address circumvention, tamper resistance et cetera.
Without knowing that there is no tangible information to base any statements on.

Thanks for your valuable info unspawn .


I tried the above posted step to investigate .Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.As i could not find the real culprit who had rebooted the server.

Since when you create a user he had privilege to delete his own .bash_history file.Since i learn lesson from these i have to block the user could not delete there own .bash_history .Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory

Let me know if you actually read what I wrote about PowerBroker, its logging and if you actually checked those logs.


IMHO wiping files is enough cause for concern to trace the user and simultaneously investigate the system for modification.


It is possible to set the extended "append only" attribute on files but I urge you not to invest too much time in it. I already wrote the exact reasons why its contents can not be trusted.