Hey all,

As usual I have an open ended bizarre question. I am looking for tools to validate/ track users who su. All I have found so far are high end tools from the likes of IBM either host based IDS or integrated access management. Basically my understanding of what is needed is that when a user logs in (via ssh or telnet) as themself, when they su to "root" there needs to be a way to "validate" the commands that are being run are by a specific user.

Example:

UserA logs in and su's to root, UserB also logs in and is su'ed to root. Both are issuing commands. The history log shows these commands but there is no way to say which user did what.

Anyone have any thoughts on this?

You shouldn't give your root password to any unnecesary user, for that you have the sudo (/etc/sudores), search in google. Sudo keeps a very good log.

I agree. Easiest way to implement would be IMHO to deny them root access, give them a Bash shell that logs everything and give them only access to specific sudo commands to execute as root. Beware of command pitfalls tho, like anything that gives access to $EDITOR for instance.


All I have found so far are high end tools from the likes of IBM either host based IDS or integrated access management.
Please share?

Stopping bash history logging is very easy to do, so don't count on those logs to be accurate.

I totally agree on using sudo.

Like unSpawn, I like to hear about those IBM tools as well :-)

Stopping bash history logging is very easy to do
Sure, if you kill syslogd, that is, I'm talking about a somewhat modified Bash (see www.rootshell.be/~unspawn/packaging/bash.html).

Even regular users can do it:

HISTORYSIZE=0



I just had a quick look at the bash link: Looks nice, am going to check it out right now.

Just to be clear about this: My option does _not_ work if you use the bash version unSpawn is refering to.

@unSpawn: Very nice!

HISTORYSIZE=0
...or "ln -sf /dev/null ~/.bash_history", never seen "mknod ~/.bash_history c 1 3" tho.


Just to be clear about this: My option does _not_ work if you use the bash version unSpawn is refering to. @unSpawn: Very nice!
Don't credit me, credit Antonomasia, he did ALL the work. I just made sure his patches aligned with my Bash version and rpm-ized it, IOW, I'm just the messenger for this.

No need for that kind of log, sudo records a log by user... all you need to do is a little work with sudoers, but that should take about half an hour and you don't compromise security in your system.

Anyway, when you su you start the root shell, and I don't like the idea of messing arround with root's shell...

http://www.courtesan.com/sudo/

hmmm very interesting......not sure what commands the users are trying to run, but this is a step in the right direction. looks like more research (google) is in order.

As for the tools, Symantic has host based IDS called Intruder Alert. not exactly designed for this issue but can be used to monitor log activity. NetForensics can also do the same thing "real time".

IBM's big tool in this space would be Tivoli Access Manager for Operation Systems. This will integrate with a user repository such as LDAP or Active Directory. Through a series of Access Control Lists and Defined Policies you can limit access to certain files or directories. It also has very verbose logging which would satisfy the non-repudiation aspect of any internal audit. But it is very pricey, to the tune of half a million or so for Enterprise level.


Thanks for the heads up all....and have a safe and happy holiday!