Granting Access using MAC for a multiple user environment.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Granting Access using MAC for a multiple user environment.
Hi all,
I have a user environment , which can be accessible with a username and Public key as authentication . I have a set of users using the same username to access the same single environment .
To track the individual user activities inside the environment, Is there anyway ?
As they are all using the same username , Is there anyway to differentiate the users using their MAC address?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
If they all connect from a directly-attached local network, you can see which MAC address passed each IP datagram, but keeping track of that would be a huge pain and it would only tie computer to connection, it wouldn't correlate computer to commands or actions that were performed.
Why wouldn't you just create multiple user accounts?
It is must to keep the single user account. Yes Of course , keeping track of that would be a huge pain and it would only tie computer to connection.
So , In case am dropping the idea of tracking , but if I want to isolate the user who execute a command or created a file in single user environment, How can I do it? Is there any way to trace him? (I mean not track users all time, but if needed occasionally).
Any ideas? You can suggest one other than MAC also(if it is there) .
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Yes, there's a good suggestion: DON'T USE A SINGLE ACCOUNT!
Honestly, if you're concerned about auditing user actions, you need to figure out a way to assign separate accounts. Trying to figure out how to track individual humans using the same account is going to take more time than figuring out a way to use separate accounts would. The benefit is the same amount of effort invested in creating separate accounts will result in a vastly superior access control system, vastly superior monitoring, and it would be a permanent solution rather than a band-aid that you would have to come back and solve all over again every time you have a new problem with the shared account.
If they use the same account, what's the point of even trying to track them ?
You could NEVER prove in court that any one person was guilty of anything since they all share the same account.. you would be unable to prove which user was on any specific machine at a given time, the logs and effort to create them would be a waste of time.
Any decent security policy/regulation (PCI, Sarbanes-Oxley, Hippa, ISO 27002, etc..) will state that all users should have an individual, secure, unique login.
I can create multiple accounts and give them all access to the same resources/data I don't see why that is not possible in your environment.. ??
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
