LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Identifying non-administrators w/ root privilege/ Multiple root account in use (https://www.linuxquestions.org/questions/linux-security-4/identifying-non-administrators-w-root-privilege-multiple-root-account-in-use-445819/)

wjeanpaul 05-17-2006 04:42 PM
Identifying non-administrators w/ root privilege/ Multiple root account in use
 
Hey guys,
I need your help with following questions below:

Question 1: Is there a menthod (command) that could be use to displays a list of all users logged in (and/or out) since a file and/or directories was created. My purpose is to identify non-admnistrators who were able to view root own files.

Question 2: What are the security risks associated with using multiple accounts w/ UID of zero?
For example, root (default), rootk and rootc have UID of 0s. However, the shells are different? Is that a security risk. If so, why?


Thanks,

W

chrism01 05-18-2006 01:52 AM
2. it means that afterwards you will not be able to tell who did what, because ownerships will be indistinguishable....
There should only ever be 1 root.
If some users need occasional access to root owned cmds, look into the sudo facility.

wjeanpaul 05-18-2006 08:26 AM
Question #2
 
Quote:
Originally Posted by chrism01
2. it means that afterwards you will not be able to tell who did what, because ownerships will be indistinguishable....
There should only ever be 1 root.
If some users need occasional access to root owned cmds, look into the sudo facility.
Question 2 follow up:
Hello Chris,

Thanks for your reply. Can you help me understand how you can hold anyone accountable if you have more than administrator using the the same root password. I am just trying to understand the best way to manage this issue.

Thanks for your assistance

W

unSpawn 05-18-2006 10:52 AM
Is there a menthod (command) that could be use to displays a list of all users logged in (and/or out) since a file and/or directories was created. My purpose is to identify non-admnistrators who were able to view root own files.
If you take the MAC time of the created file/dir as starting point, then for users with local system login enabled you could use the "last" command. It also depends on what ways (services) the file was accessable (before) (as in service configuration and/or file/dir permissons). I think this is a good argument for running a GRSecurity RBAC or SELinux enabled server: if set up in enforcing mode there would have to be explicit rules for file access inclusion. If you can be more verbose with respect to your situation, add an example if you can, maybe there's more to add.


hold anyone accountable if you have more than administrator using the the same root password.
(This may sound harsh but I'm just emphasising what chrism01 already said) what you need to understand is there are no compelling and valid reasons to have multiple root privilege accounts. The best way to manage this issue therefore would be to add auditing facilities and disable (and later on remove) those excess accounts. If you disagree please post reasons why you think you need multiple root privilege accounts.

soulestream 05-19-2006 08:55 PM
I smell somebodies homework.


SOule


All times are GMT -5. The time now is 04:01 PM.