Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
yes but does not helpful for that situation
imagine we have 3 users that are sysadmin,every sysadmin log in with root and change something or modify configuration or anything,i want to find out each modification for which sysadmin user
yes but does not helpful for that situation
imagine we have 3 users that are sysadmin,every sysadmin log in with root and change something or modify configuration or anything,i want to find out each modification for which sysadmin user
Think about what you just wrote. If all three people log in as the same user ID (root), then how, exactly, do you think you can tell them apart? Again, logging in as root on ANYTHING but the console is a horribly bad idea, and there is *NO REASON* to do this, at all, ever. Your sysadmins can log in as their regular users, then use sudo or su to get root privileges as needed. You can then look at command history, times/dates of logins, etc., to see who did what. You can ALSO (better) change the root password to something that only YOU know, and let them use SUDO...which will log every command back to their user ID's. They can do anything, but everything will be logged.
And nothing you do is going to have any impact on anything, since (if you have root access), you can wipe out ANY trace of anything you did, leaving you as much in the dark as you are now. Either hire admins you trust, or get rid of ones you don't.
Yes i know but i have to find or make an architecture that monitors root activity
using sudo and wheel group is recommended by red hat official books and i know root user can do anything
Yes i know but i have to find or make an architecture that monitors root activity using sudo and wheel group is recommended by red hat official books and i know root user can do anything
Again: **ONCE YOU HAVE ROOT, YOU CAN DO ANYTHING**. This includes (AGAIN) erasing any traces of whatever you did. In short, you CANNOT DO what you're asking to do, period. Again, you restrict access to root ONLY to the system console, period...you DO NOT log in as root over the network. You keep the root password to yourself, and put any other admins in the wheel group, and grant them sudo access. You now have ANY root level commands run tied to a specific user ID, which is what you want.
If you want to be secure, you limit what those users can do; make sure they can't change the root password, remove/edit wtmp or history/logs for sudo, etc. They then can't erase traces of what they did. More secure? Then mirror your logs to a centralized syslog server, which no one but you has access to.
This is sounding very much like a homework question.
AGAIN I KNOW YOUR INTENTION but i have to make an architecture for this situation because of CEO requests this situation
I don't care my problems sounds what,I only wanna to solve problem
but you need to understand how it works.
We cannot make an architecture for you, we can only help you to solve your problem.
At first you must not give root account to anyone. Next, you [may] need to configure sudo to allow some people to execute some apps. That can be logged easily.
But you - and again, nobody - can control the root user, because root have the power to do anything, including the modification of the system and removing anything (like logs) - or disabling monitoring.
So the best thing you can do is to do not allow to be root for anyone - but give permissions for specific tasks (with sudo or something similar).
AGAIN I KNOW YOUR INTENTION but i have to make an architecture for this situation because of CEO requests this situation I don't care my problems sounds what,I only wanna to solve problem
Then you need to explain to your CEO why what they want is impossible, period. There is no magic solution to do what you want, and there never will be.
And if your company's security practices are so bad that multiple people log in as root over the network, you've got bigger issues to deal with. We know what you want; you are not understanding what you're being told in regards to it, and it can't be explained any simpler. If you truly don't understand why what you're asking is impossible, then you need to give this job to one of your co-workers who does understand it.
If your CEO absolutely must have something, then Google for "Privileged Access Management" and prepare to fork over loads of cash for something like CyberArk or Centrify that will (a) make it much harder to get any real work done, and (b) provide dubious benefits and yet another set of potential security problem (what happens if someone gains unauthorized access to the manager console?). Or you can listen to the good advice given on this thread regarding *not letting people log in as root over the network*.
For a less fancy options for after-the-fact auditing, you can:
a. Configure auditd and export the audit logs (and syslogs) off box to a secure remote server.
b. Don't give anyone whose actions are being audited access to the server from a, and hope no one breaks in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.