LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-20-2010, 03:17 AM   #1
salimshahzad
Member
 
Registered: Dec 2009
Posts: 200

Rep: Reputation: 15
logs and trace of roots


dear gurus,

if we wish to know who connect what time and from what host or ip address and logout and what he did, or what was activities

how we can come to know advise

kind regards
 
Old 02-20-2010, 05:52 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
With GNU/Linux the answer is "it depends". By default at least these features may be available:
- 'lastlog' (/var/log/lastlog) will show if a user ever logged in,
- 'who' (/var/run/utmp) will show if a user is logged in right now,
- 'last' will show when a user logged in and out and from which IP address in /var/log/wtmp (used by 'login'),
- 'ac' will show crude details of only commands run (from data in /var/log/wtmp) if process accounting was enabled,
- /var/log/secure will also show login information (including 'su') on systems running PAM,
- the users default shell history file, if set, will list commands (updated on logout).

Also see:
- various networked daemons that might log information (say sshd),
- network (access control) devices (LDAP, Kerberos, edge router, proxy),
- the graphical subsystem (say for correlating login/logout times),
- if the users shell is a recent BaSH and HISTTIMEFORMAT is set then timestamps (epoch) may be logged,
- GRSecurity or Auditd, if configured and in use, might log information,
- an application a user uses might log information,
- an application a user uses might leave temporary files elsewhere,
- deleted files may show clues,
- leftover processes might reveal information.

This means that if enough data is available, even if spread over different sources, correlation can work but reconstruction will need some effort. Even then the result will definitely not be complete enough to call it "irrefutable evidence". For more strict (for example PCI-compliant) logging search the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'.
 
Old 02-20-2010, 06:09 AM   #3
salimshahzad
Member
 
Registered: Dec 2009
Posts: 200

Original Poster
Rep: Reputation: 15
thanks and highly appreciated
 
Old 02-20-2010, 06:53 AM   #4
redhat2010@rocketmail.co
LQ Newbie
 
Registered: Feb 2010
Posts: 4

Rep: Reputation: 1
Hello,

You can see who logged in using 'last' command..
[root@node0 log]# last
root pts/0 192.168.0.100 Sat Feb 20 15:19 still logged in
reboot system boot 2.6.18-8.el5 Sat Feb 20 15:19 (00:06)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
root tty1 Sat Feb 20 15:17 - down (00:00)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
reboot system boot 2.6.18-8.el5 Sat Feb 20 14:12 (01:05)

But its quite difficult to capture what all a user did, I believe you want to capture every key stroke..
Something like what script command does.
I can advice you to setup a master server with ssh trust to other servers and write an application (a script, little difficult)

Letís take an example for ssh:
My master server is node0 and my client is node1

On master server:
As root run
[root@node0 ~]# ssh-keygen -t dsa

Just press enter donít supply any passphrase.
It will create below two files.

[root@node0 ~]# ls -l /root/.ssh/id_dsa*
-rw------- 1 root root 668 Feb 20 15:39 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 600 Feb 20 15:39 /root/.ssh/id_dsa.pub
[root@node0 ~]#

On client server:

Modify line starting with AuthorizedKeysFile on /etc/ssh/sshd_config as below and restart sshd.

[root@node1 ~]# grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
[root@node1 ~]# service sshd restart
[root@node1 ~]# mkdir /etc/ssh/authorized_keys/
[root@node1 ~]# cd /etc/ssh/authorized_keys/

Here create a file root as content of node0:/root/.ssh/id_dsa.pub which we created in last section.

Then create a generic account say genuser on client.

[root@node1 ~]# useradd genuser
[root@node1 ~]# passwd -d genuser << you donít need to remove password since u have not created one, follow this in case u have an existing user.

Now follow below steps,

[root@node1 authorized_keys]# cd
[root@node1 ~]# cd /etc/ssh/authorized_keys/
[root@node1 authorized_keys]# ls -l
total 8
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]# ln -s root genuser
[root@node1 authorized_keys]# ls -l
total 12
lrwxrwxrwx 1 root root 4 Feb 20 20:50 genuser -> root
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]#

So on client genuser cannot login since you have already disabled password.
So how will you login to client node1 as genuser ??
Here you go:

[root@node0 ~]# hostname
node0
[root@node0 ~]# id -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@node0 ~]#
[root@node0 ~]# ssh genuser@node1
Last login: Sat Feb 20 20:52:16 2010 from 192.168.0.110
[genuser@node1 ~]$ id -a
uid=501(genuser) gid=501(genuser) groups=501(genuser)
[genuser@node1 ~]$

Now you have restricted login to client for a user and user can only login from master server.

Here is the difficult part..
1. You have to write an application which will accept login to master server as user.
2. And it should have intelligence to verify access level for a user, so that a user can only login as certain users.
3. Run application as root.
4. Run ďscript <%user.%date.%time>Ē so that you can log key stroke for each user.
5. And then it should run below command to login to client as user genuser.

ssh genuser@node1

You can apply sudo, since you should never grant root access to users and you cannot run ssh <userneme>@hostname (as per above logic) without root.

I would advice you to create a generic account on the server and give a level of access to that user and allow users to login as generic account and do their tasks.

Itís just an idea if you want to develop an in-house application.
 
0 members found this post helpful.
Old 02-21-2010, 12:55 AM   #5
salimshahzad
Member
 
Registered: Dec 2009
Posts: 200

Original Poster
Rep: Reputation: 15
this is great simple and highly apprecited
 
Old 02-21-2010, 03:23 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
No it's rather convoluted (there are easier ways to restrict SSH access), it contains bad advice ('ln -s root genuser'), it's insecure (as it involves SSH + root account), incomplete (the logging keystrokes part) and completely unnecessary (if you would have understood my hint about searching the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'). Please try to understand things before you blindly accept a reply as a good answer.
 
Old 02-21-2010, 09:23 AM   #7
redhat2010@rocketmail.co
LQ Newbie
 
Registered: Feb 2010
Posts: 4

Rep: Reputation: 1
Not an offending view or argument, there are always a better way to do things.

“Completely unnecessary??” sorry, I just gave an idea to develop something on own.
I misread the subject, its not for logging root, it’s for normal users and you don’t need to delegate root access to each and everyone, you can go via sudo.

Of-course it’s incomplete, since it’s an idea not a complete solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD? SomnathG Linux - Security 1 11-11-2008 10:41 AM
"killed" Message - how to trace/back trace ebinjose Linux - Kernel 1 01-29-2008 07:12 AM
Two roots? revenge80200 Yoper 0 01-29-2005 06:55 PM
The different type of roots Gins Linux - General 1 12-19-2004 01:57 PM
Installpkg and different roots pcause Slackware 2 08-12-2003 02:21 PM


All times are GMT -5. The time now is 06:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration