Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So which is it? Do you "know for a fact" that he logs in two times a day, or are you taking his word for it?
Since he's just inspecting some files, is it possible that rather than ssh'ing into the server to see the files, he has set up a cron job on your server to scp the files to his machine at regular intervals, so he just inspects them locally? In which case you wouldn't be looking for incoming connections, you'd be looking for outgoing connections.
As far as I know, most distributions are configured to log incoming ssh connections to /var/log/messages or /var/log/secure by default. So unless your system is configured differently, there are two options here:
1) He's not logging in twice a day (so either he's not checking the system, or he's set it up to autonomously send the necessary log files to his own machine at regular intervals).
2) He's deleting entries to "cover his tracks".
What ssh client he's using does not factor into the equation, since it's your system that's accepting the connection and should be logging the entry.
The fact is, since he has root access, he can do literally anything he wants on your system. He can cover his tracks, he can install malware, he can hijack your system for bitcoin mining, he can block access to all other users, he can format the entire system and leave you dead in the water. Anything he wants. Root access should never be granted to anybody you do not trust entirely. The mere existence of this thread and your questions implies that you don't trust his word, which begs the question, why on Earth does he have root access to begin with?
Thank you for everyone's reply. I trust this guy and he has been doing a great job managing this server. But management doesn't trust him and don't take my word for it, I need to report back by tomorrow morning.
I personally have been removing all the maillog, messages and secure logs from the server just something that I do to empty the space on the server. Could his SSH logins been removed from lastlog as a result of my act?? If so I have to let the management know...
Can someone remove only some of the entries from the lastlog file? If so, how?
If he's supposed to be logging in as part of his job, why would he want to hide his tracks?
Looking at the human engineering, it would seem to me more likely that he's not logging in when he says he is.
He is supposed to log in, but I don't want to be the one causing him trouble by reporting false info to the management.
A. Poor guy might have had logged in but as a result of my actions (cleaning up the maillog, messages, etc) he can't show proofs of logging in.
B. he might have had used another software to access the server which wouldn't leave a log in the lastlog file. I need to be able to explain this to the management tomorrow.
One other thought; look at time stamps on the logs or other files.
suicidaleggroll has a good point. How do you know that this user is logging in twice per day? 'root' should not be shared. <Please note the period.
You will always be open to problems when more than one person has root privileges.
Only he has the root account, I have a regular account
So which is it? Do you "know for a fact" that he logs in two times a day, or are you taking his word for it?
Since he's just inspecting some files, is it possible that rather than ssh'ing into the server to see the files, he has set up a cron job on your server to scp the files to his machine at regular intervals, so he just inspects them locally? In which case you wouldn't be looking for incoming connections, you'd be looking for outgoing connections.
As far as I know, most distributions are configured to log incoming ssh connections to /var/log/messages or /var/log/secure by default. So unless your system is configured differently, there are two options here:
1) He's not logging in twice a day (so either he's not checking the system, or he's set it up to autonomously send the necessary log files to his own machine at regular intervals).
2) He's deleting entries to "cover his tracks".
What ssh client he's using does not factor into the equation, since it's your system that's accepting the connection and should be logging the entry.
The fact is, since he has root access, he can do literally anything he wants on your system. He can cover his tracks, he can install malware, he can hijack your system for bitcoin mining, he can block access to all other users, he can format the entire system and leave you dead in the water. Anything he wants. Root access should never be granted to anybody you do not trust entirely. The mere existence of this thread and your questions implies that you don't trust his word, which begs the question, why on Earth does he have root access to begin with?
He is using SCP, have probably no cron set up, he told me before that he moves files to his machine all the time. Wouldn't those logins for manual file transferring be recorded in lastlog?
He is using SCP, have probably no cron set up, he told me before that he moves files to his machine all the time. Wouldn't those logins for manual file transferring be recorded in lastlog?
I may have missed it before, but what distro are you using?
I just did some tests on CentOS 6.5, and scp connections do NOT show up in lastlog, but they DO show up in /var/log/secure.
Last edited by suicidaleggroll; 10-22-2014 at 09:19 PM.
I may have missed it before, but what distro are you using?
I just did some tests on CentOS 6.5, and scp connections do NOT show up in lastlog, but they DO show up in /var/log/secure.
We have several machines, CentOS mostly. This is great to know, I have been cleaning up the secure archive log file (secure.1, secure.2, etc.) throughout all these years, so could the poor guy be using winscp many times and no login entry shows up in lastlog because secure.x files are gone??
That seems entirely plausible. From what I can tell scp connections do not show up in lastlog at all, so unless you look at /var/log/secure they would be missed.
One other thought; look at time stamps on the logs or other files.
suicidaleggroll has a good point. How do you know that this user is logging in twice per day? 'root' should not be shared. <Please note the period.
You will always be open to problems when more than one person has root privileges.
I wasn't among the sudoers until recently, now that I have a sudoer account, I can see his login attempts (tty, timestamp, everything) under the user root. Those entries are not many, maybe one each month, that can't be right as I personally had asked him to run a command for me, send me a file from the server, etc. several times a day and in order for him to be able to do that he would have to log into the server...
That seems entirely plausible. From what I can tell scp connections do not show up in lastlog at all, so unless you look at /var/log/secure they would be missed.
So by removing all the secure.x archive files, all those entry records are gone, too...
As an aside, it might be a good idea to look into using logrotate to control space in /var/log, rather than log files them manually. You could store the archives created by logrotate in the event they need to be consulted at a later date.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.