LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-22-2014, 09:38 PM   #16
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,346
Blog Entries: 12

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731

If he's supposed to be logging in as part of his job, why would he want to hide his tracks?

Looking at the human engineering, it would seem to me more likely that he's not logging in when he says he is.
 
Old 10-22-2014, 09:55 PM   #17
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
That doesn't agree with what you originally said:


So which is it? Do you "know for a fact" that he logs in two times a day, or are you taking his word for it?

Since he's just inspecting some files, is it possible that rather than ssh'ing into the server to see the files, he has set up a cron job on your server to scp the files to his machine at regular intervals, so he just inspects them locally? In which case you wouldn't be looking for incoming connections, you'd be looking for outgoing connections.

As far as I know, most distributions are configured to log incoming ssh connections to /var/log/messages or /var/log/secure by default. So unless your system is configured differently, there are two options here:

1) He's not logging in twice a day (so either he's not checking the system, or he's set it up to autonomously send the necessary log files to his own machine at regular intervals).

2) He's deleting entries to "cover his tracks".

What ssh client he's using does not factor into the equation, since it's your system that's accepting the connection and should be logging the entry.

The fact is, since he has root access, he can do literally anything he wants on your system. He can cover his tracks, he can install malware, he can hijack your system for bitcoin mining, he can block access to all other users, he can format the entire system and leave you dead in the water. Anything he wants. Root access should never be granted to anybody you do not trust entirely. The mere existence of this thread and your questions implies that you don't trust his word, which begs the question, why on Earth does he have root access to begin with?
Thank you for everyone's reply. I trust this guy and he has been doing a great job managing this server. But management doesn't trust him and don't take my word for it, I need to report back by tomorrow morning.

I personally have been removing all the maillog, messages and secure logs from the server just something that I do to empty the space on the server. Could his SSH logins been removed from lastlog as a result of my act?? If so I have to let the management know...

Can someone remove only some of the entries from the lastlog file? If so, how?
 
Old 10-22-2014, 10:08 PM   #18
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by frankbell View Post
If he's supposed to be logging in as part of his job, why would he want to hide his tracks?

Looking at the human engineering, it would seem to me more likely that he's not logging in when he says he is.
He is supposed to log in, but I don't want to be the one causing him trouble by reporting false info to the management.

A. Poor guy might have had logged in but as a result of my actions (cleaning up the maillog, messages, etc) he can't show proofs of logging in.

B. he might have had used another software to access the server which wouldn't leave a log in the lastlog file. I need to be able to explain this to the management tomorrow.
 
Old 10-22-2014, 10:09 PM   #19
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by onebuck View Post
Hi,

One other thought; look at time stamps on the logs or other files.
suicidaleggroll has a good point. How do you know that this user is logging in twice per day? 'root' should not be shared. <Please note the period.

You will always be open to problems when more than one person has root privileges.
Only he has the root account, I have a regular account
 
Old 10-22-2014, 10:12 PM   #20
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by tezarin View Post
Only he has the root account, I have a regular account
Then how do you have access to the various system log files???
 
Old 10-22-2014, 10:13 PM   #21
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
That doesn't agree with what you originally said:


So which is it? Do you "know for a fact" that he logs in two times a day, or are you taking his word for it?

Since he's just inspecting some files, is it possible that rather than ssh'ing into the server to see the files, he has set up a cron job on your server to scp the files to his machine at regular intervals, so he just inspects them locally? In which case you wouldn't be looking for incoming connections, you'd be looking for outgoing connections.

As far as I know, most distributions are configured to log incoming ssh connections to /var/log/messages or /var/log/secure by default. So unless your system is configured differently, there are two options here:

1) He's not logging in twice a day (so either he's not checking the system, or he's set it up to autonomously send the necessary log files to his own machine at regular intervals).

2) He's deleting entries to "cover his tracks".

What ssh client he's using does not factor into the equation, since it's your system that's accepting the connection and should be logging the entry.

The fact is, since he has root access, he can do literally anything he wants on your system. He can cover his tracks, he can install malware, he can hijack your system for bitcoin mining, he can block access to all other users, he can format the entire system and leave you dead in the water. Anything he wants. Root access should never be granted to anybody you do not trust entirely. The mere existence of this thread and your questions implies that you don't trust his word, which begs the question, why on Earth does he have root access to begin with?
He is using SCP, have probably no cron set up, he told me before that he moves files to his machine all the time. Wouldn't those logins for manual file transferring be recorded in lastlog?
 
Old 10-22-2014, 10:14 PM   #22
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
Then how do you have access to the various system log files???
I am among the sudoers. Can see the logs and have been granted all the permissions
 
Old 10-22-2014, 10:17 PM   #23
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by tezarin View Post
He is using SCP, have probably no cron set up, he told me before that he moves files to his machine all the time. Wouldn't those logins for manual file transferring be recorded in lastlog?
I may have missed it before, but what distro are you using?

I just did some tests on CentOS 6.5, and scp connections do NOT show up in lastlog, but they DO show up in /var/log/secure.

Last edited by suicidaleggroll; 10-22-2014 at 10:19 PM.
 
Old 10-22-2014, 10:19 PM   #24
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by tezarin View Post
I am among the sudoers. Can see the logs and have been granted all the permissions
If you've been granted full root privileges via sudo then you effectively have root access, in which case refer back to onebuck's post.
 
Old 10-22-2014, 10:25 PM   #25
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
I may have missed it before, but what distro are you using?

I just did some tests on CentOS 6.5, and scp connections do NOT show up in lastlog, but they DO show up in /var/log/secure.
We have several machines, CentOS mostly. This is great to know, I have been cleaning up the secure archive log file (secure.1, secure.2, etc.) throughout all these years, so could the poor guy be using winscp many times and no login entry shows up in lastlog because secure.x files are gone??
 
Old 10-22-2014, 10:31 PM   #26
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
That seems entirely plausible. From what I can tell scp connections do not show up in lastlog at all, so unless you look at /var/log/secure they would be missed.
 
Old 10-22-2014, 10:31 PM   #27
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by onebuck View Post
Hi,

One other thought; look at time stamps on the logs or other files.
suicidaleggroll has a good point. How do you know that this user is logging in twice per day? 'root' should not be shared. <Please note the period.

You will always be open to problems when more than one person has root privileges.
I wasn't among the sudoers until recently, now that I have a sudoer account, I can see his login attempts (tty, timestamp, everything) under the user root. Those entries are not many, maybe one each month, that can't be right as I personally had asked him to run a command for me, send me a file from the server, etc. several times a day and in order for him to be able to do that he would have to log into the server...
 
Old 10-22-2014, 10:35 PM   #28
tezarin
Member
 
Registered: Nov 2007
Posts: 126

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
That seems entirely plausible. From what I can tell scp connections do not show up in lastlog at all, so unless you look at /var/log/secure they would be missed.
So by removing all the secure.x archive files, all those entry records are gone, too...
 
Old 10-22-2014, 10:35 PM   #29
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,346
Blog Entries: 12

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
As an aside, it might be a good idea to look into using logrotate to control space in /var/log, rather than log files them manually. You could store the archives created by logrotate in the event they need to be consulted at a later date.

Last edited by frankbell; 10-22-2014 at 10:37 PM.
 
Old 10-22-2014, 10:36 PM   #30
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by tezarin View Post
So by removing all the secure.x archive files, all those entry records are gone, too...
yes
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trace of runtime activities in UNIX ankitspy Linux - Newbie 2 03-28-2011 07:48 PM
Trouble transferring files from a Windows box to a UNIX box. BreakTheWindows2008 Linux - Software 4 08-15-2008 10:10 PM
Apache access+log can't trace a particular PC at second times SquallPang Linux - Security 1 12-27-2006 06:58 PM
securing a linux box...how 2 trace the hacking culprit fhameed Linux - Security 15 01-22-2004 07:47 PM
Linux Box crashes with no trace in syslog eDubster Linux - General 2 05-19-2003 04:43 PM


All times are GMT -5. The time now is 12:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration