Shell Programming and Scripting

Hi,

I have several engineers logging into servers with the same system username and passwords eg root. I was thinking about adding a script to bashrc where a user is forced upon login to enter their name and once that has executed there history is logged/redirected to a log file somewhere. I have googled the hell out of it, but running into problems trying to activate the history only for that users session.

Actually I don't know best approach for this any guidance welcomed.

Disallow direct root login and force users to login with their userid and su or sudo -i to root.

This is true I can disable root no problem but that is not the issue. I may have 5-10 engineers acessing a system under 3 usernames /day. Its impossible to create usernames for them all (30-40/ month). I just need a way to force them to log their name abd redirect their commands to a file.

We call this: login with user name and su and sudo.

Works for 100s of users per server at many thousands of companies.

If someone signs in as root then they could fiddle the local logs in any case unless you write them to a remote syslog collector that the engineers do not have access to.

You have no audit on who is using your system. Using sudo really is the way to go as a starter, but don't grant them access to switch user to root. Work out what they need to do, then grant them the privileges to do that and nothing else.

Do not let them run anything as root that you can escape to a shell with, e.g. ftp, vi or even bash as then they have full access again.


It pays to be paranoid about the root account. Protect it else you as the owner will get the blame for everything and anyone could make a costly or fatal mistake on your server. They may complain that they can't do their job, but that's where you have to negotiate and get them the privileges they need and nothing more.




Robin

If you give them root, you have lost all control.

Perhaps a script to create users would help.

If you want multiple users to use the same account, but also have logs to see which IPexecuted each command is possible.

You need to add some entries in bashrc and in addition to add some extra scripts under home directory, the final result will be like:

Code:

pts_0 [2011-10-26 16:29:04] sudo apt-get install putty
pts_0 [2011-10-26 16:29:04] ls -ltrh
pts_1 [2011-10-26 16:29:04] ssh tom_cat01
pts_3 [2011-10-26 16:29:04] cd /tmp
pts_1 [10-26-2011_17:05:39] shutdown -r now

Using last command in addition you can find also which IP was pts_1 at 10-26-2011_17:05:39 and rebooted the node.
Let me know if you need something like this. I can send you the scripts to give a try.