LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2007, 06:28 AM   #1
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Rep: Reputation: 38
Question Who did what?


We have a server with several system administrator maintaining the server. Every administrator logs in using their own id and then su - to root.

Is it possible to see which user executed which commands (after they su - to root)?
 
Old 02-14-2007, 11:42 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
No, su activities can't be audited back to an individual. You need a change control system. It doesn't need to be software, it can simply be a process. If you want an audit trail, enforce the use of sudo - prohibit su.

Last edited by macemoneta; 02-14-2007 at 11:43 PM.
 
Old 02-15-2007, 06:07 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you want an audit trail, enforce the use of sudo - prohibit su.
If you want an audit trail that includes commands users execute (when they su to other accounts), force Sudo but also force using a logging shell wrapper like Rootsh or Sudosh. The main difference between the two AFAIK is that Sudosh has session playback capabilities. If you want to expand on that make the wrapper log to syslog and log to a remote syslog host.

[edit]
You also may want to use a file integrity checker like Aide, Samhain or even tripwire to monitor changes. Top it off with a tool to monitor services for changes (like Monit). I have the most important configs under a revision system which makes it easy to check change info and revert back in case it gets fscked up.
[/edit]

Last edited by unSpawn; 02-15-2007 at 06:19 AM. Reason: more is more.
 
Old 02-22-2007, 11:08 AM   #4
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Original Poster
Rep: Reputation: 38
Thanks for your answers.
 
Old 02-28-2007, 03:18 AM   #5
jeru
Member
 
Registered: Feb 2003
Location: Arizona
Distribution: Debian Sid
Posts: 57

Rep: Reputation: 15
You can alias su to do something like this in /etc/profile.

alias su="su -p"

I'm guessing your seeing who did what based on bash_history or something... That'll keep it in their profiles.

man su
-m, -p, --preserve-environment
do not reset environment variables, and keep the same shell
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration