many users has root password and how to find who did what
Many users has root password on Debian Linux server. Some body has changed some permission on some directories. I need to find which user did this. Is there any way to find specifically who did this?.
|
No, you can't since all users have logged in as the same user. You should consider to use a sudo setup with fine grained restrictions and logging possibilities instead.
May I ask why your users have to have the root password? |
I forget to mention one thing. Every user has their own account setup with ssh key based login. So every user login by thier own account and then they su to root.
Quote:
|
It doesn't make a difference if the users first login as their own users and than su to root, at that point they are root and not differentiable.
Sometimes legacy setups can be quite inconvenient and even dangerous. Good luck with convincing your seniors to implement a clean and secure solution. |
Quote:
In debian you have to do some settings. * Allow users to do "sudo su - " only .So that they become root. * I implemented this method and keeping track of users successfully . I have written same in my blog.Read the post and with debian system do some changes. I did this in CentOS/Red Hat. And the same logic you can use with Debian also.Here you have play with .bash_profile of users. http://sharadchhetri.com/2011/12/02/...ndary-logging/ |
Quote:
|
Quote:
Quote:
Code:
mkdir -p /var/log/users_historylogs |
Quote:
- user login records in /var/log/wtmp ('man last'), - if you touched /var/log/btmp you also have bad logins there ('man lastb'), - PAM user login records in /var/log/secure or equivalent, - if BSD Process Accounting was enabled (psacct) the 'sa', 'lastcomm' and related commands, - possibly login records in networked service daemon logs, - users shell history, and - file system MAC time stamps. Correlation, creating a time line out of log file entries, login records, user shell history, 'lastcomm --user [someaccountname]' and file system MAC time stamps may to some extent reveal when and in what order the system was altered but it will always be an incomplete picture and you won't be able to assert whatever you (think you) see is free of tampering. (When pondering a better audit trail see http://www.linuxquestions.org/questi...8/#post3997650 and http://www.linuxquestions.org/questi...patches-34823/.) |
Quote:
will always return "root" when used there No ,it will save the log like like this. in /var/log it will save with root_history-username-AndDateFormat Kindly try in your system first. I tried in CentOS and it is in production environment. I am not misleading anyone with this information. Some blogs has already shared this link. All the things which I have written in my blog are practically done. First do the try and let me know. |
Quote:
|
Quote:
(1)We can save the log in remote server as well. (2)second thing we should use chattr command to immute the log dir as well as .bashrc.So that if anyone will try to remove immute on directory, we can capture his activity in local and remote log server also. (3)here the last login in server log must also be remotely saved. (4)We must have a single centralised server (bation host) only from which user can do login. In that server user only restricted to use ssh to other server.In this server also, we can use this logging system . Through last 3 and 4 step we can track who was last person who tried to login in that server. (5) Co. must have policy,user should not share their credential to anyone.If they do Co. should take proper action on him/her. I hope by this way we can achieve almost main concern of Question that is user should not do any damage in server. So user will think before what he is doing. |
Code:
[schneidz@hyper ~]$ sudo tail -f /var/log/secure |
and it is better to have something rather then nothing. :)
|
@schneidz , appreciate you also pointed out good thing .
|
Quote:
At that time I found the guy who did the changes. timestamp of files and directory also matters if they exist.If someone remove log is there As unSpawn said about rootsh. That is also good thing. http://linux.die.net/man/1/rootsh .We can utilise both things together. |
All times are GMT -5. The time now is 04:14 AM. |