Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
With GNU/Linux the answer is "it depends". By default at least these features may be available:
- 'lastlog' (/var/log/lastlog) will show if a user ever logged in,
- 'who' (/var/run/utmp) will show if a user is logged in right now,
- 'last' will show when a user logged in and out and from which IP address in /var/log/wtmp (used by 'login'),
- 'ac' will show crude details of only commands run (from data in /var/log/wtmp) if process accounting was enabled,
- /var/log/secure will also show login information (including 'su') on systems running PAM,
- the users default shell history file, if set, will list commands (updated on logout).
Also see:
- various networked daemons that might log information (say sshd),
- network (access control) devices (LDAP, Kerberos, edge router, proxy),
- the graphical subsystem (say for correlating login/logout times),
- if the users shell is a recent BaSH and HISTTIMEFORMAT is set then timestamps (epoch) may be logged,
- GRSecurity or Auditd, if configured and in use, might log information,
- an application a user uses might log information,
- an application a user uses might leave temporary files elsewhere,
- deleted files may show clues,
- leftover processes might reveal information.
This means that if enough data is available, even if spread over different sources, correlation can work but reconstruction will need some effort. Even then the result will definitely not be complete enough to call it "irrefutable evidence". For more strict (for example PCI-compliant) logging search the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'.
You can see who logged in using 'last' command..
[root@node0 log]# last
root pts/0 192.168.0.100 Sat Feb 20 15:19 still logged in
reboot system boot 2.6.18-8.el5 Sat Feb 20 15:19 (00:06)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
root tty1 Sat Feb 20 15:17 - down (00:00)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
root pts/0 192.168.0.100 Sat Feb 20 15:17 - 15:17 (00:00)
reboot system boot 2.6.18-8.el5 Sat Feb 20 14:12 (01:05)
But its quite difficult to capture what all a user did, I believe you want to capture every key stroke..
Something like what script command does.
I can advice you to setup a master server with ssh trust to other servers and write an application (a script, little difficult)
Let’s take an example for ssh:
My master server is node0 and my client is node1
On master server:
As root run
[root@node0 ~]# ssh-keygen -t dsa
Just press enter don’t supply any passphrase.
It will create below two files.
[root@node0 ~]# ls -l /root/.ssh/id_dsa*
-rw------- 1 root root 668 Feb 20 15:39 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 600 Feb 20 15:39 /root/.ssh/id_dsa.pub
[root@node0 ~]#
On client server:
Modify line starting with AuthorizedKeysFile on /etc/ssh/sshd_config as below and restart sshd.
[root@node1 ~]# grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
[root@node1 ~]# service sshd restart
[root@node1 ~]# mkdir /etc/ssh/authorized_keys/
[root@node1 ~]# cd /etc/ssh/authorized_keys/
Here create a file root as content of node0:/root/.ssh/id_dsa.pub which we created in last section.
Then create a generic account say genuser on client.
[root@node1 ~]# useradd genuser
[root@node1 ~]# passwd -d genuser << you don’t need to remove password since u have not created one, follow this in case u have an existing user.
Now follow below steps,
[root@node1 authorized_keys]# cd
[root@node1 ~]# cd /etc/ssh/authorized_keys/
[root@node1 authorized_keys]# ls -l
total 8
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]# ln -s root genuser
[root@node1 authorized_keys]# ls -l
total 12
lrwxrwxrwx 1 root root 4 Feb 20 20:50 genuser -> root
-rw-r--r-- 1 root root 589 Feb 20 20:30 root
[root@node1 authorized_keys]#
So on client genuser cannot login since you have already disabled password.
So how will you login to client node1 as genuser ??
Here you go:
[root@node0 ~]# hostname
node0
[root@node0 ~]# id -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@node0 ~]#
[root@node0 ~]# ssh genuser@node1
Last login: Sat Feb 20 20:52:16 2010 from 192.168.0.110
[genuser@node1 ~]$ id -a
uid=501(genuser) gid=501(genuser) groups=501(genuser)
[genuser@node1 ~]$
Now you have restricted login to client for a user and user can only login from master server.
Here is the difficult part..
1. You have to write an application which will accept login to master server as user.
2. And it should have intelligence to verify access level for a user, so that a user can only login as certain users.
3. Run application as root.
4. Run “script <%user.%date.%time>” so that you can log key stroke for each user.
5. And then it should run below command to login to client as user genuser.
ssh genuser@node1
You can apply sudo, since you should never grant root access to users and you cannot run ssh <userneme>@hostname (as per above logic) without root.
I would advice you to create a generic account on the server and give a level of access to that user and allow users to login as generic account and do their tasks.
It’s just an idea if you want to develop an in-house application.
No it's rather convoluted (there are easier ways to restrict SSH access), it contains bad advice ('ln -s root genuser'), it's insecure (as it involves SSH + root account), incomplete (the logging keystrokes part) and completely unnecessary (if you would have understood my hint about searching the Linux Security forum for threads about logging or PCI-DSS or use a search term like 'rootsh'). Please try to understand things before you blindly accept a reply as a good answer.
Not an offending view or argument, there are always a better way to do things.
“Completely unnecessary??” sorry, I just gave an idea to develop something on own.
I misread the subject, its not for logging root, it’s for normal users and you don’t need to delegate root access to each and everyone, you can go via sudo.
Of-course it’s incomplete, since it’s an idea not a complete solution.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
