|
|
Sponsored Content
Special Forums
Cybersecurity
How do i find all the commands entered by root on any terminal
Post 302248780 by Smiling Dragon on Sunday 19th of October 2008 06:23:59 PM
10-19-2008
You won't be able to do it at the scripting level unfortunately unless you already have a mechanism in place to capture the commands and just want to automate the transfer of them.
In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.
Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).
Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.
I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them
In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.
Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).
Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.
I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi there. Linux newbie and I'm trying to find commands to:
Display number of executable files in a directory that i supply and list them in alphabetical order
Back up all the files in the current irectory to a directory i supply, creating that directory if it's not allready there
Cound... (5 Replies)
Discussion started by: indigoecho
5 Replies
2. Solaris
I want to enable root login just from one terminal machine, can i do that via /etc/default/login in console=/dev/console line ?
and if so what i have to type exactly, another question is it normal to edit the files inside defaults directly ? or i can copy it to /etc/ and edit it there and its... (3 Replies)
Discussion started by: XP_2600
3 Replies
3. AIX
Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in.
I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies
4. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
5. Shell Programming and Scripting
hi..
I have a small question...if I have a textfile..let say apple.txt and I want to
1. search for all strings that's 6 characters long, and contains the letters a,b,c,d.
2. search for all words that that begins with "sUn" and ends with "flower"
3. search for all the words beginning with the... (3 Replies)
Discussion started by: Oregano
3 Replies
6. UNIX for Dummies Questions & Answers
i am at home with a windows xp home, and i am using putty terminal to access my linux mathlab account, my task is to compile and run a C program, called a.c,
i used
gcc -Wall -g -o mycode a.c
to compile it into a mycode file
now when i want to run it, i was told i had to use
$... (2 Replies)
Discussion started by: omega666
2 Replies
7. Shell Programming and Scripting
i have few files generated everyday with a date stamp. Sometimes it happens that if the files are generated late i.e after 00:00 hrs the date stamp will be of the next day.
example:
110123_file1
110123_file2
110123_file3
110124_file4
in the above example file4 is also for the previous... (2 Replies)
Discussion started by: gpk_newbie
2 Replies
8. Programming
Hi
I am trying to modify a C program to work for my needs. Problem is I don't know any real programming. I would really appreciate it if someone could help me!
Basically it is to get bandwidth speeds from a remote box. I have two terminal commands that get me the up and down speeds.
So how do... (8 Replies)
Discussion started by: milestails
8 Replies
9. Ubuntu
I've written a program in C, called count_0.1 which is essentially a word count program.
I want to be able to use it as a command in the terminal (by typing in count), like when you type in ls, you don't have to go to a directory, find an executable and type in: ./ls
I've tried:
Adding... (1 Reply)
Discussion started by: usernamer
1 Replies
10. Shell Programming and Scripting
I need to list users in /etc/passwd with root's GID or UID or /root as home directory
If we have these entries in /etc/passwd
root:x:0:0:root:/root:/bin/bash
rootgooduser1:x:100:100::/home/gooduser1:/bin/bash
baduser1:x:0:300::/home/baduser1:/bin/bash... (6 Replies)
Discussion started by: anil510
6 Replies
LEARN ABOUT HPUX
asecure
asecure(1M) asecure(1M) NAME
asecure - control access to Audio on a workstation (OBSOLETED) SYNOPSIS
[] [] [] [] [] [] [] [] [] DESCRIPTION
On Series 700 workstations, audio is secured so that only the user on the local workstation can access audio. You use the command to mod- ify audio security. This command does not apply to X stations; on an X station, access to audio is unrestricted. To modify audio security, become root on the local workstation where you want make a change. Then, use as follows: When prompted, enter any meaningful password. Issuing creates the Audio Security File (ASF). The ASF contains information that determines which hosts and users can access the Aserver, and which users (other than the superuser) can modify the ASF. If needed, you can allow unrestricted access to audio on this workstation. To remove audio security, issue this command: If instead, you wish to modify security, you use to make changes to the information in the ASF. (Because the ASF is a binary file, we do not recommend using an editor on this file.) You can use to make these types of changes: o Allow all clients from a remote host to access the server. o Allow specific users from all other hosts to access the server. o Allow a specific user from a specific host to access the server. o Disable access control, allowing complete unrestricted access to the server, but leaving the ASF intact. Every operation that creates, reinitializes, or changes the contents of the ASF is logged in the file, so that you can track any changes to the ASF. Options supports the following options: Add/delete hostname,username pair. You must be either superuser or a to do this. You can supply more than one hostname,username pair separated by blanks. To use either the or options, you MUST supply at least one hostname,username pair. This option will not work without a pair. Create a new ASF file, called the file. Access control default is enabled with no entries in the access list. Aserver can now be accessed only by local users on the host machine. If an file already exists, it is re-initialized. You must be superuser to execute this option. This option is mutually-exclusive of all other options. This option requires a password. This is an extra layer of protection for the contents of the ASF. It is designed to prevent surreptitious manipulation of the ASF. If you are creating a new ASF, you are prompted for a password and an encrypted copy of that password is stored in the new ASF. If the ASF already exists, you are prompted for the password. If your password matches the password stored in the ASF, the ASF is then re-initialized. Disable access control to the Aserver. This allows unrestricted access by all clients. Enable access control to the Aserver. This restricts access to clients listed in the ASF. Enabled is the default state. Add/delete hostnames for ALL users. You must be either superuser or a to do this. You can supply more than one hostname sepa- rated by blanks. List the contents of the ASF. This option shows a list of the hostnames and/or usernames that have access to the Aserver. Change password for file. You must be superuser to do this. You are prompted once for the old password, then prompted twice for the new password. Add/delete You must be superuser to do this and must enter the password given when the ASF was created (see option). To see a list of privileged users, you must be superuser and use the option. Add/delete usernames for ALL hosts. You must be either superuser or a to do this. You can supply more than one username sepa- rated by blanks. EXAMPLES
List entries in access list. Disable access control. This means anyone can connect to Aserver without restriction. Add host for all users to access list. Remove host for all users from access list. Add user for hosts and to access list. Add user to access list for all hosts. Remove users and from access list for all hosts. Create new access list. AUTHOR
was developed by HP. FILES
asecure log pathname ASF pathname SEE ALSO
attributes(1), convert(1), send_sound(1), asecure(1M), aserver(1M), audio(5). OBSOLETED asecure(1M)