LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 12-10-2012, 02:05 PM   #1
LittleMaster
Member
 
Registered: Jun 2012
Posts: 98
Blog Entries: 1

Rep: Reputation: Disabled
How could i find out who had rebooted my server/accessing my server at particular tim


Hi
i have lots of users with admin priviledge ,so someone had rebooted my server .\When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.i have more than 300 user accessing my server every min.whether i have to open.bash_history of each user profile to find the user who had reboot my server.Any help could be help full
 
Old 12-10-2012, 04:02 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by LittleMaster View Post
i have lots of users with admin priviledge
Why would you need "lots of users" with root rights? Why not give them access via Sudo only? That restricts their privileges and logs access as well.


Quote:
Originally Posted by LittleMaster View Post
When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.
Linux doesn't come with an extensive audit trail configured out of the box. This means that depending on the Linux distribution and what software and services a machine is configured with you minimally have access to system and daemon logs, user login records, (maybe process accounting or even the audit service), user shell history and file system MAC times which nfo you can correlate.
*In addition to the problems that correlation poses your extra problems may be in the way you allowed users to reboot the machine (su, sudo, setuid root binaries: explain in detail please) and any tampering by users you are not aware of which may include any means of access that users configured themselves or any means that could provide illegal access.
 
1 members found this post helpful.
Old 12-11-2012, 12:22 AM   #3
LittleMaster
Member
 
Registered: Jun 2012
Posts: 98
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Sorry unspawn ,Since i have not given enough info on my first post .

1.Since i have been using powerbroker instead of sudo.User execute pbrun bash and they get root access and they perform the activities.

2.i have more than 300 users of application team have root priviledge since they deploy modify some apps so i have offered them root priviledge.But to acquire root priviledge they uses pbrun bash and they give there user information before entering root priviledge .so that history seems to be stored in there users .bash_history files rather than root .bash_history.

3.OPERATING system Redhat 5.8 release

4.Since some user perform reboot getting stored in there home directory of users .bash_history.

5.Whether i have to enter each and every user and check .bash_history files to audit who had execute reboot at particular period

Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .Its very hard for me go into 300 user and find out reboot command in .bash_history of user.Please advise any easy way to find


echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
 
Old 12-11-2012, 12:29 AM   #4
descendant_command
Member
 
Registered: Mar 2012
Posts: 743

Rep: Reputation: 158Reputation: 158
'grep reboot /home/*/.bash_history' ?
 
Old 12-11-2012, 01:07 AM   #5
arun5002
Member
 
Registered: Aug 2011
Location: Chennai,India
Distribution: Redhat,Centos,Ubuntu,Dedian
Posts: 549
Blog Entries: 5

Rep: Reputation: Disabled
hey ur genius man .Thanks for your help
 
Old 12-11-2012, 04:20 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by LittleMaster View Post
Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
If you want to stand a chance you should 0) export them from a central directory like /etc/profile.d/, 1) for each shell in /etc/shells and 2) set both shopt -s histappend and PROMPT_COMMAND='history -a' to facilitate flushing commands to the history file immediately. Even then you must understand that 0) the actual HISTTIMEFORMAT doesn't matter: for example as BASH logs in epoch only, 1) you may encounter shells that don't log time, 2) only new history entries get tagged but most importantly 3) a users shell history it is under control of the user meaning it can be altered, tampered with or outright deleted, ergo it can not be relied on as part of an indisputable audit trail.


Quote:
Originally Posted by LittleMaster View Post
Its very hard for me go into 300 user and find out reboot command in .bash_history of user.
With PowerBroker you get event and I/O logging. What it logs and where it logs depends on your settings and what PowerBroker daemon processes are running. I expect the default directory to be /var/log/ and the log file names start with pb.*.
 
Old 12-11-2012, 05:17 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 1,984

Rep: Reputation: 512Reputation: 512Reputation: 512Reputation: 512Reputation: 512Reputation: 512
With 300 people having root you don't have a chance of being able to prove who did it.

All logs are subject to tampering, and you have no security.

So even if you needed the logs for legal purposes, they are useless.

Using the command history is not likely to work very well, as it is recycled every "n" commands, where "n" is up to the user. And then, it is entirely possible for the user to disable history tracking.

Since this is a voluntary thing, you are just as likely to get a good answer by just asking "who did it?"
 
Old 12-11-2012, 06:15 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by jpollard View Post
With 300 people having root you don't have a chance of being able to prove who did it.
Unless you know exactly how his PowerBroker environment is configured I would say that's a rather bold and unfounded statement to make.
 
Old 12-11-2012, 06:53 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 1,984

Rep: Reputation: 512Reputation: 512Reputation: 512Reputation: 512Reputation: 512Reputation: 512
It doesn't matter. With 300 people any and all files may be modified.
 
Old 12-11-2012, 07:23 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by jpollard View Post
It doesn't matter. With 300 people any and all files may be modified.
I wonder why the amount of users should even enter the equation? It really is of no consequence. What matters in this case are what logging is configured (event log, I/O log), where it is configured to log to (local, remote) and the commands users are allowed to perform. Knowing that you can address circumvention, tamper resistance et cetera.
Without knowing that there is no tangible information to base any statements on.
 
Old 12-11-2012, 07:24 AM   #11
LittleMaster
Member
 
Registered: Jun 2012
Posts: 98
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Thanks for your valuable info unspawn .


I tried the above posted step to investigate .Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.As i could not find the real culprit who had rebooted the server.

Since when you create a user he had privilege to delete his own .bash_history file.Since i learn lesson from these i have to block the user could not delete there own .bash_history .Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory
 
Old 12-11-2012, 07:30 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by LittleMaster View Post
I tried the above posted step to investigate .
Let me know if you actually read what I wrote about PowerBroker, its logging and if you actually checked those logs.


Quote:
Originally Posted by LittleMaster View Post
Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.
IMHO wiping files is enough cause for concern to trace the user and simultaneously investigate the system for modification.


Quote:
Originally Posted by LittleMaster View Post
Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory
It is possible to set the extended "append only" attribute on files but I urge you not to invest too much time in it. I already wrote the exact reasons why its contents can not be trusted.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] server automatically rebooted mahmoodn Ubuntu 4 10-29-2011 02:15 AM
How to find the process that rebooted the server. sampappachan_nyc Linux - Server 4 05-18-2010 06:30 PM
server rebooted manoj.linux AIX 6 02-04-2009 09:33 AM
Who rebooted my server ? and why ? itselango Linux - Security 5 09-23-2004 01:01 AM
Who rebooted my server and why ? itselango Linux - Newbie 2 09-22-2004 02:51 PM


All times are GMT -5. The time now is 05:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration