-   Linux - Newbie (
-   -   logs and trace of roots (

salimshahzad 02-20-2010 03:17 AM

logs and trace of roots
dear gurus,

if we wish to know who connect what time and from what host or ip address and logout and what he did, or what was activities

how we can come to know advise

kind regards

unSpawn 02-20-2010 05:52 AM

With GNU/Linux the answer is "it depends". By default at least these features may be available:
- 'lastlog' (/var/log/lastlog) will show if a user ever logged in,
- 'who' (/var/run/utmp) will show if a user is logged in right now,
- 'last' will show when a user logged in and out and from which IP address in /var/log/wtmp (used by 'login'),
- 'ac' will show crude details of only commands run (from data in /var/log/wtmp) if process accounting was enabled,
- /var/log/secure will also show login information (including 'su') on systems running PAM,
- the users default shell history file, if set, will list commands (updated on logout).

Also see:
- various networked daemons that might log information (say sshd),
- network (access control) devices (LDAP, Kerberos, edge router, proxy),
- the graphical subsystem (say for correlating login/logout times),
- if the users shell is a recent BaSH and HISTTIMEFORMAT is set then timestamps (epoch) may be logged,
- GRSecurity or Auditd, if configured and in use, might log information,
- an application a user uses might log information,
- an application a user uses might leave temporary files elsewhere,
- deleted files may show clues,
- leftover processes might reveal information.

This means that if enough data is available, even if spread over different sources, correlation can work but reconstruction will need some effort. Even then the result will definitely not be complete enough to call it "irrefutable evidence". For more strict (for example PCI-compliant) logging search the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'.

salimshahzad 02-20-2010 06:09 AM

thanks and highly appreciated 02-20-2010 06:53 AM


You can see who logged in using 'last' command..
[root@node0 log]# last
root pts/0 Sat Feb 20 15:19 still logged in
reboot system boot 2.6.18-8.el5 Sat Feb 20 15:19 (00:06)
root pts/0 Sat Feb 20 15:17 - 15:17 (00:00)
root tty1 Sat Feb 20 15:17 - down (00:00)
root pts/0 Sat Feb 20 15:17 - 15:17 (00:00)
root pts/0 Sat Feb 20 15:17 - 15:17 (00:00)
reboot system boot 2.6.18-8.el5 Sat Feb 20 14:12 (01:05)

But its quite difficult to capture what all a user did, I believe you want to capture every key stroke..
Something like what script command does.
I can advice you to setup a master server with ssh trust to other servers and write an application (a script, little difficult)

Letís take an example for ssh:
My master server is node0 and my client is node1

On master server:
As root run
[root@node0 ~]# ssh-keygen -t dsa

Just press enter donít supply any passphrase.
It will create below two files.

[root@node0 ~]# ls -l /root/.ssh/id_dsa*
-rw------- 1 root root 668 Feb 20 15:39 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 600 Feb 20 15:39 /root/.ssh/
[root@node0 ~]#

On client server:

Modify line starting with AuthorizedKeysFile on /etc/ssh/sshd_config as below and restart sshd.

[root@node1 ~]# grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
[root@node1 ~]# service sshd restart
[root@node1 ~]# mkdir /etc/ssh/authorized_keys/
[root@node1 ~]# cd /etc/ssh/authorized_keys/

Here create a file root as content of node0:/root/.ssh/ which we created in last section.

Then create a generic account say genuser on client.

[root@node1 ~]# useradd genuser
[root@node1 ~]# passwd -d genuser << you donít need to remove password since u have not created one, follow this in case u have an existing user.

Now follow below steps,

[root@node1 authorized_keys]# cd
[root@node1 ~]# cd /etc/ssh/authorized_keys/
[root@node1 authorized_keys]# ls -l
total 8
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]# ln -s root genuser
[root@node1 authorized_keys]# ls -l
total 12
lrwxrwxrwx 1 root root 4 Feb 20 20:50 genuser -> root
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]#

So on client genuser cannot login since you have already disabled password.
So how will you login to client node1 as genuser ??
Here you go:

[root@node0 ~]# hostname
[root@node0 ~]# id -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@node0 ~]#
[root@node0 ~]# ssh genuser@node1
Last login: Sat Feb 20 20:52:16 2010 from
[genuser@node1 ~]$ id -a
uid=501(genuser) gid=501(genuser) groups=501(genuser)
[genuser@node1 ~]$

Now you have restricted login to client for a user and user can only login from master server.

Here is the difficult part..
1. You have to write an application which will accept login to master server as user.
2. And it should have intelligence to verify access level for a user, so that a user can only login as certain users.
3. Run application as root.
4. Run ďscript <%user.%date.%time>Ē so that you can log key stroke for each user.
5. And then it should run below command to login to client as user genuser.

ssh genuser@node1

You can apply sudo, since you should never grant root access to users and you cannot run ssh <userneme>@hostname (as per above logic) without root.

I would advice you to create a generic account on the server and give a level of access to that user and allow users to login as generic account and do their tasks.

Itís just an idea if you want to develop an in-house application.

salimshahzad 02-21-2010 12:55 AM

this is great simple and highly apprecited

unSpawn 02-21-2010 03:23 AM

No it's rather convoluted (there are easier ways to restrict SSH access), it contains bad advice ('ln -s root genuser'), it's insecure (as it involves SSH + root account), incomplete (the logging keystrokes part) and completely unnecessary (if you would have understood my hint about searching the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'). Please try to understand things before you blindly accept a reply as a good answer. 02-21-2010 09:23 AM

Not an offending view or argument, there are always a better way to do things.

“Completely unnecessary??” sorry, I just gave an idea to develop something on own.
I misread the subject, its not for logging root, it’s for normal users and you don’t need to delegate root access to each and everyone, you can go via sudo.

Of-course it’s incomplete, since it’s an idea not a complete solution.

All times are GMT -5. The time now is 11:13 AM.