LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-20-2013, 07:48 AM   #1
unclesamcrazy
Member
 
Registered: May 2013
Posts: 187

Rep: Reputation: 1
How to track the user who has done something problematic in defined condition


There are two servers i.e server A & server B (both centOS) and 10 ubuntu systems. All in the same LAN

All users are logged into server A from their ubuntu systems and they all do their work regularly. All know root password of server A. Because They all login as root in server A frequently according to their work.

Problem :
1) A user logged into server A from his ubuntu system.
2) Run sudo -i and become root of server A.
3) Then He logged into server B as root. It didn't ask password because of authorized_keys.
4) Then he did something nasty on server B.
Now I want to find him. I have read /var/log/secure of both servers many times.
It is not helping me.

I know it is height of foolishness and no linux user can't beat it, at least in this century. But it has been done.

Please help to find the user.
Thanks
sam
 
Old 11-20-2013, 08:00 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 979
Blog Entries: 2

Rep: Reputation: 235Reputation: 235Reputation: 235
I assume you know the time of the event on server B.

You should know which users had root on A at that time. That may be more than one. Depending on the details logged you may be able to see which tty was used for the ssh process .. and match that to the logged-in user.

I hope you can see by now the advantage of denying root remote login/command access in sshd (even with keys).
 
Old 11-20-2013, 08:02 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,166

Rep: Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751
If the user is any good he'll have covered his tracks by editing anything in /var/log/* that would be relevant.

/var/log/secure and look for sudo sessions starting around the time of the event would be about all you'll get. Given how vulnerable your system is I'd think you're unlikely to ever find out.
 
Old 11-20-2013, 08:28 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by TenTenths View Post
If the user is any good he'll have covered his tracks by editing anything in /var/log/* that would be relevant.

/var/log/secure and look for sudo sessions starting around the time of the event would be about all you'll get. Given how vulnerable your system is I'd think you're unlikely to ever find out.
This why using a remote log server is important. Nobody except security investigations should login on the log server.

And I would have said "...how vulnerable your systems are...". Anytime you have more than 4 people with uncontrolled root access, you have a severe problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
User defined linux commands in a user defined shell Sushma05 Linux - Newbie 3 09-13-2013 08:21 AM
check Negative egrep condition in an if condition novicunix Programming 5 02-02-2013 01:52 AM
Iptables user-defined chains 0.o Linux - Networking 2 06-21-2007 08:50 AM
user defined service Tonatiuh Linux - General 2 03-22-2006 02:44 PM
user defined variables linuxdev Linux - Newbie 4 02-09-2004 01:43 PM


All times are GMT -5. The time now is 06:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration