LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-24-2013, 10:57 PM   #1
ilesterg
Member
 
Registered: Jul 2012
Distribution: CentOS, Debian, Oracle Linux, AIX
Posts: 334

Rep: Reputation: 35
Unix administrator auditing - suggestions?


Hey guys,

I work with application management for an enterprise class application, and I am having a really hard time dealing with the people working on our server infrastructure (Application server admins who have privileged access to production servers). The exact problem is that, the crontab schedules of our application's unix scripts keeps gets messed up lately:
1. One was removed from crontab
2. Two were disabled from crontab
3. One script was scheduled to run on another server (backup live server), resulting to simultaneous execution of the script causing chaos.

The thing is, they don't have any mechanism to determine who were making such changes in the crontab schedule of the servers. Although they have their process which regularly creates a backup of crontab, they could no longer determine who were making any changes to the crontab of the servers.

Additonal details:
1. Around 15 administrators could access the servers (4 Unix boxes)
2. Challenge: each of them connect to the Unix servers using ssh, under a single username@server

Do you guys have any suggestions on how we could possible perform audit on the commands that each admin executes on the server? I was thinking of regularly checking the history file against the ssh signon times, but I might get more productive/feasible from you guys.

Cheers!
 
Old 04-25-2013, 01:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,466
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Situation clear, constraints not. Basic requisites should be remote syslog and NTP enabled everywhere, and what you add then from workstation logging, Inotify watches, FUSE LoggedFS, audit service, rootsh to obviously each user logging in from their own unprivileged user account and enough rights only using /etc/sudoers depends on what you are allowed / willing to modify / install.
 
Old 04-25-2013, 01:52 AM   #3
ilesterg
Member
 
Registered: Jul 2012
Distribution: CentOS, Debian, Oracle Linux, AIX
Posts: 334

Original Poster
Rep: Reputation: 35
Wink

Quote:
Originally Posted by unSpawn View Post
Situation clear, constraints not. Basic requisites should be remote syslog and NTP enabled everywhere, and what you add then from workstation logging, Inotify watches, FUSE LoggedFS, audit service, rootsh to obviously each user logging in from their own unprivileged user account and enough rights only using /etc/sudoers depends on what you are allowed / willing to modify / install.
Wow, that's so much to take in, thanks I'll look into those.
 
Old 04-25-2013, 02:29 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,466
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by ilesterg View Post
Wow, that's so much to take in, thanks I'll look into those.
Sorry, I was kind of strapped for time and I needed to wedge in a reply pretty quick. Just ask me to expand on any aspects if needed though it would help to know what you can and can not do or suggest.
 
Old 04-25-2013, 03:20 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Attempting to expand upon unSpawn's suggestions, requiring sudo coupled with time stamping on the crontabs might be a an easy way to obtain the information you're after. By requiring sudo, you should get a log entry for the action performed as well as a time stamp for the action.

For example, using sudo on the simple ls command gives the following log entry in secure:
Code:
Apr 25 16:13:39 decwebserver1 sudo:  myuser : TTY=pts/0 ; PWD=/home/myuser ; USER=root ; COMMAND=/usr/bin/ls
Provided that your not dealing with deliberately malicious intentions, this should give you a better audit log of who is performing what. A potential danger is to use sudo to simply gain a root shell, via sudo -i. This will show up as executing COMMAD=/bin/bash (or whatever shell your using) and the subsequent commands will not be seen directly. However, it may still be enough to narrow the list or correlate against the action without requiring dedicated audit tools.
 
  


Reply

Tags
auditing, crontabs, unix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hi all , I am Unix administrator vantagesupport LinuxQuestions.org Member Intro 0 11-14-2011 12:49 AM
What it takes to be a Linux/Unix administrator kapz General 9 09-06-2009 09:04 PM
UNIX administrator job in Chandler, Arizona newbiesforever Other *NIX 1 07-03-2008 10:24 AM
Position of UNIX Administrator, VA Anna Sherby Solaris / OpenSolaris 2 12-08-2006 05:28 PM


All times are GMT -5. The time now is 06:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration