LinuxQuestions.org - Granting Access using MAC for a multiple user environment.

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Granting Access using MAC for a multiple user environment. (https://www.linuxquestions.org/questions/linux-security-4/granting-access-using-mac-for-a-multiple-user-environment-662388/)

ZAMO	08-13-2008 12:44 AM

Granting Access using MAC for a multiple user environment.

Hi all,

I have a user environment , which can be accessible with a username and Public key as authentication . I have a set of users using the same username to access the same single environment .

To track the individual user activities inside the environment, Is there anyway ?
As they are all using the same username , Is there anyway to differentiate the users using their MAC address?

chort

08-13-2008 01:24 AM

If they all connect from a directly-attached local network, you can see which MAC address passed each IP datagram, but keeping track of that would be a huge pain and it would only tie computer to connection, it wouldn't correlate computer to commands or actions that were performed.

Why wouldn't you just create multiple user accounts?

ZAMO	08-13-2008 06:05 AM

Chort,

It is must to keep the single user account. Yes Of course , keeping track of that would be a huge pain and it would only tie computer to connection.

So , In case am dropping the idea of tracking , but if I want to isolate the user who execute a command or created a file in single user environment, How can I do it? Is there any way to trace him? (I mean not track users all time, but if needed occasionally).

Any ideas? You can suggest one other than MAC also(if it is there) .

Thanks a Lot :)

chort

08-13-2008 01:00 PM

Yes, there's a good suggestion:
DON'T USE A SINGLE ACCOUNT!

Honestly, if you're concerned about auditing user actions, you need to figure out a way to assign separate accounts. Trying to figure out how to track individual humans using the same account is going to take more time than figuring out a way to use separate accounts would. The benefit is the same amount of effort invested in creating separate accounts will result in a vastly superior access control system, vastly superior monitoring, and it would be a permanent solution rather than a band-aid that you would have to come back and solve all over again every time you have a new problem with the shared account.

farslayer

08-13-2008 03:47 PM

If they use the same account, what's the point of even trying to track them ?

You could NEVER prove in court that any one person was guilty of anything since they all share the same account.. you would be unable to prove which user was on any specific machine at a given time, the logs and effort to create them would be a waste of time.

Any decent security policy/regulation (PCI, Sarbanes-Oxley, Hippa, ISO 27002, etc..) will state that all users should have an individual, secure, unique login.

I can create multiple accounts and give them all access to the same resources/data I don't see why that is not possible in your environment.. ??

ZAMO	08-14-2008 04:51 AM

Thank You For your suggestions

All times are GMT -5. The time now is 11:39 PM.