|
|
Sponsored Content
Special Forums
Cybersecurity
How do i find all the commands entered by root on any terminal
Post 302248780 by Smiling Dragon on Sunday 19th of October 2008 06:23:59 PM
10-19-2008
You won't be able to do it at the scripting level unfortunately unless you already have a mechanism in place to capture the commands and just want to automate the transfer of them.
In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.
Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).
Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.
I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them
In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.
Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).
Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.
I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi there. Linux newbie and I'm trying to find commands to:
Display number of executable files in a directory that i supply and list them in alphabetical order
Back up all the files in the current irectory to a directory i supply, creating that directory if it's not allready there
Cound... (5 Replies)
Discussion started by: indigoecho
5 Replies
2. Solaris
I want to enable root login just from one terminal machine, can i do that via /etc/default/login in console=/dev/console line ?
and if so what i have to type exactly, another question is it normal to edit the files inside defaults directly ? or i can copy it to /etc/ and edit it there and its... (3 Replies)
Discussion started by: XP_2600
3 Replies
3. AIX
Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in.
I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies
4. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
5. Shell Programming and Scripting
hi..
I have a small question...if I have a textfile..let say apple.txt and I want to
1. search for all strings that's 6 characters long, and contains the letters a,b,c,d.
2. search for all words that that begins with "sUn" and ends with "flower"
3. search for all the words beginning with the... (3 Replies)
Discussion started by: Oregano
3 Replies
6. UNIX for Dummies Questions & Answers
i am at home with a windows xp home, and i am using putty terminal to access my linux mathlab account, my task is to compile and run a C program, called a.c,
i used
gcc -Wall -g -o mycode a.c
to compile it into a mycode file
now when i want to run it, i was told i had to use
$... (2 Replies)
Discussion started by: omega666
2 Replies
7. Shell Programming and Scripting
i have few files generated everyday with a date stamp. Sometimes it happens that if the files are generated late i.e after 00:00 hrs the date stamp will be of the next day.
example:
110123_file1
110123_file2
110123_file3
110124_file4
in the above example file4 is also for the previous... (2 Replies)
Discussion started by: gpk_newbie
2 Replies
8. Programming
Hi
I am trying to modify a C program to work for my needs. Problem is I don't know any real programming. I would really appreciate it if someone could help me!
Basically it is to get bandwidth speeds from a remote box. I have two terminal commands that get me the up and down speeds.
So how do... (8 Replies)
Discussion started by: milestails
8 Replies
9. Ubuntu
I've written a program in C, called count_0.1 which is essentially a word count program.
I want to be able to use it as a command in the terminal (by typing in count), like when you type in ls, you don't have to go to a directory, find an executable and type in: ./ls
I've tried:
Adding... (1 Reply)
Discussion started by: usernamer
1 Replies
10. Shell Programming and Scripting
I need to list users in /etc/passwd with root's GID or UID or /root as home directory
If we have these entries in /etc/passwd
root:x:0:0:root:/root:/bin/bash
rootgooduser1:x:100:100::/home/gooduser1:/bin/bash
baduser1:x:0:300::/home/baduser1:/bin/bash... (6 Replies)
Discussion started by: anil510
6 Replies
LEARN ABOUT REDHAT
upsd.conf
UPSD.CONF(5) Network UPS Tools (NUT) UPSD.CONF(5) NAME
upsd.conf - Configuration for Network UPS Tools upsd DESCRIPTION
upsd uses this file to control access to the server and set some other miscellaneous configuration values. This file will contain pass- words for your upsmon(8) clients, so keep it secure. Ideally, only the upsd process should be able to read it. ACCESS CONTROL CONFIGURATION
ACL name netblock Define an Access Control List (ACL) called name that contains the network netblock. The netblock can be either the old style, such as this for a traditional "class C": ACL mynet 192.168.50.0/255.255.255.0 Or, you can use new-style "CIDR format": ACL mynet 192.168.50.0/24 To just list one host, it would look like one of these: ACL mybox 192.168.50.1/255.255.255.255 ACL mybox 192.168.50.1/32 ACLs are used whenever you need to refer to a network or host, such as in ACCESS definitions (below) and with "allowfrom" in upsd.users(5). ACCESS action level aclname [password] Define the access to commands at level level by clients in the network defined by ACL aclname, optionally requiring a password pass- word. The action can be one of three values: grant - allow the clients to perform commands at this level. deny - deny the clients access to commands at this level. drop - like deny, but don't even respond to their query. The level relates to the complexity of the command. More important functions like editing variables inside the UPS require more privileges than merely checking the status. Each level includes the powers of the one before it. Here are the valid levels: base - Allows TCP connections and very simple queries. Valid commands are VER and HELP. monitor - "base", plus the ability to fetch variables from the UPS. Valid commands are LISTRW, LISTVARS, and REQ. login - Deprecated. Implies monitor and base. This is used by old versions of upsmon in slave mode. Newer versions of upsmon (1.1 and up) that send usernames are granted access in upsd.users(5). master - Deprecated. Implies login, monitor and base. Used by old versions in master mode. See login above. all - match any level. This really only should be used for "drop all all" or similar. Granting "all" access to any host is not recommended. The aclname is just one of your ACL definitions, as explained above. The password is only used for "login" or "master", and should not be set for lower access levels. ACCESS CONTROL EXAMPLES
Here is an example configuration to show some of what is possible. - "bigserver" has a UPS attached to a serial port. It runs the driver, upsd, and upsmon in master mode. This definition is also ref- erenced with an "allowfrom" in upsd.users(8). - "workstation" draws from the same UPS as "bigserver", but has to monitor it over the network. It runs upsmon in slave mode. It is also referenced with an "allowfrom" in upsd.users(8). - "webserver" doesn't get power from this UPS at all, but it runs the CGI programs so it can make nice status displays. - an abuser is silently dropped - everyone not yet covered is denied nicely ACL bigserver 10.20.30.1/32 ACL workstation 10.20.30.2/32 ACL webserver 10.20.30.3/32 ACL abuser 192.168.255.128/32 ACL all 0.0.0.0/0 ACCESS grant monitor bigserver ACCESS grant monitor workstation ACCESS grant monitor webserver ACCESS drop all abuser ACCESS deny all all ACCESS CONTROL MATCHING
Access controls should go from most specific to least specific. The first match with a sufficient access level is the one used when apply- ing permissions. Along the same lines, everyone is a member of "all", but we want to match everything else first so they don't hit the deny at the bottom. If you don't have a final "all" match at the bottom, it will force one for you as a deny. This means that you have to explicitly add an allow in order to allow the whole world to have access. Just think of it as a big repeating "if-then-else" structure. OTHER CONFIGURATION DIRECTIVES
MAXAGE seconds upsd usually allows the data from a driver to go up to 15 seconds without an update before declaring it "stale". If your driver can't reliably update the data that often but is otherwise working, you can use MAXAGE to make upsd wait longer. You should only use this if your driver has difficulties keeping the data fresh within the normal 15 second interval. Watch the syslog for notifications from upsd about staleness. STATEPATH path Tell upsd to look for the state files in path rather than the default that was compiled into the program. SEE ALSO
upsd(8), nutupsdrv(8), upsd.users(5) Internet resources: The NUT (Network UPS Tools) home page: http://www.exploits.org/nut/ NUT mailing list archives and information: http://lists.exploits.org/ Wed Oct 16 2002 UPSD.CONF(5)