LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-14-2006, 01:56 AM   #1
overlord73
Member
 
Registered: Apr 2004
Location: ..where no life dwells..
Distribution: RH,FC/SuSE/Debian/HPUX/OSX
Posts: 511

Rep: Reputation: 30
log file access for 2nd root


Hi,

on a productive system I have a second root-user (remote-admin responsible for a few apps and daemons). via script I allow this user to connect via ssh.

The question is, is there a possibility to "monitor" what this user is doing? a logfile which files has been changed by this user would be fine!

..or any other ideas, how would you solve this?

cheers...

(System is SuSE 10)
 
Old 02-14-2006, 03:57 AM   #2
cs-cam
Senior Member
 
Registered: May 2004
Location: Australia
Distribution: Gentoo
Posts: 3,544
Blog Entries: 4

Rep: Reputation: 56
If you trust this user so much that you want a log of what they do, why give them root priviledges at all? Have a look into using sudo, it will allow you to choose what they can and can't do and it'll let you log what they do easily
 
Old 02-14-2006, 05:00 AM   #3
overlord73
Member
 
Registered: Apr 2004
Location: ..where no life dwells..
Distribution: RH,FC/SuSE/Debian/HPUX/OSX
Posts: 511

Original Poster
Rep: Reputation: 30
hm, I thought about his, but it seems this would be a lot of work to find out all commands they should be allowed to do.....thought there might be an easy alternativ....
 
Old 02-14-2006, 07:30 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
If you trust this user so much that you want a log of what they do, why give them root priviledges at all?
I agree this is the major question, and you should solve that beforehand. If you find accounting at this level a necessity, then you must set up a policy wrt purpose, retention time, privacy issues, etc, etc, inform them of being watched. If you can explain why this is needed and they agree then any responsable admin should have no problem with it.

I'm sure I'm forgetting something, but this should somewhat cover it. This box should be properly hardened. Since there is not much you can do to stop a wheel group/root account user from altering/circumventing any methods you put into place, the first thing to do (after getting agreement) would be to set up remote syslogging. Correlating login times with absence of data means trouble. Of course they should not have access to that part of the infrastructure where the syslog server resides. After that set up a framework to extend logging which the GRSecurity kernel patch can provide. After that you should set up rootsh which can syslog the complete session. Note that parsing>reporting>taking action in relation to the above is something that only takes place *after* the event. Prevention by taking away capabilities and/or denying users access to certain commands using something like RBAC "is left as an excercise to the reader"...


thought there might be an easy alternative
This maybe sounds a bit harsh, but (with all due respect) "easy" implies dropping qualitatively good solutions for lame ones, preferably those that cost virtually no time or knowledge to implement. If there's a distinct need to monitor users then you should invest time to research and tinker. If you want things the "easy" way then please press ALT+F4 repeatedly until poweroff :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to log file access it_nb Linux - Security 2 10-05-2005 06:27 PM
access.log (squid) file, adding Logins mizard Linux - Networking 4 09-27-2005 07:45 AM
Using the 2nd CD: logged in as root@rescuedisc, change lilo.conf file or any files? jtp51 Slackware 3 11-02-2004 09:14 AM
$#!% passwd file removed, how do I log in as root? BrianK Linux - General 6 08-19-2004 02:23 PM
How do I view the default Apache access log file? johann519 Linux - General 2 05-10-2004 11:46 AM


All times are GMT -5. The time now is 03:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration