Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Root Auditing Questions

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Root Auditing Questions
# 1  
Old 05-31-2011
Root Auditing Questions
First timer here... appreciate any help. My lingo might be off a bit, but ill clarify where necessary.

1- Is there a way to monitor direct logins to root? i.e. logging in directly to root as opposed logging in to a user account then su or sudo to root. i have a machine set to "permitrootlogin yes" temporarily and want to monitor direct root logins. (i know this isnt an ideal setting for that option, but let's assume this is the case for now)

2- when logged in as root, does a user need to still type su to run commands? If so, are those commands captured in the sulog? (i dont have access to a UNIX machine at the moments so i cant test this out).

thanks for any help!
# 2  
Old 05-31-2011
It's by no means perfect and success can vary across *ix platforms, but usually "logins" will create a wtmp entry (you can use the "last" command to browse). Remember, root can do anything, including covering up tracks it leaves behind (you have been warned).
# 3  
Old 06-01-2011
1)
you should not allow direct root logins over the network. IMO forget about auditing if this is allowed.

2)
su is not used/needed when logged in directly as root. when a person has root they have the ability to cover their tracks if needed.
# 4  
Old 06-01-2011
thanks for the feedback. i'm well aware their own tracks might be covered. But was looking at some built-in alternatives/monitoring that perhaps i wasnt aware off. that setting should always be set to 'no' or 'without-password' using public/private keys...
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. SCO

Auditing: how to enable?

edit: solution found Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

2. Solaris

Migration of system having UFS root FS with zones root to ZFS root FS

Hi All After downloading ZFS documentation from oracle site, I am able to successfully migrate UFS root FS without zones to ZFS root FS. But in case of UFS root file system with zones , I am successfully able to migrate global zone to zfs root file system but zone are still in UFS root file... (2 Replies)
Discussion started by: sb200
2 Replies

3. Solaris

BSM auditing

Hi , I don't want logs from a particular "library" to get recorded in the audit.log file. Is that possible with BSM? Please guide. Thanks. (2 Replies)
Discussion started by: chinchao
2 Replies

4. Shell Programming and Scripting

Auditing script

I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies

5. Homework & Coursework Questions

Print questions from a questions folder in a sequential order

1.) I am to write scripts that will be phasetest folder in the home directory. 2.) The folder should have a set-up,phase and display files I have written a small script which i used to check for the existing users and their password. What I need help with: I have a set of questions in a... (19 Replies)
Discussion started by: moraks007
19 Replies

6. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

7. UNIX for Advanced & Expert Users

Unix Auditing.

I need to log or 'audit' any access to a shared directory which is stored on a NetApp appliance. I need to be able to 'prove' who has acessed the data in this directory at any time. I am just not sure how to do this. The systems that will be accessing this are Linux systems. Any help is... (2 Replies)
Discussion started by: frankkahle
2 Replies

8. Solaris

Root Login Auditing !!

Hi, At our site(O.S Solaris 5.9) we have disabled the root login and also su . In place of this we have a root equivalent id eg:boss which is basically a copy of ur /usr/bin/su. Now in order to maintain an audit trail of the activities and to restrict root login we have enabled the access of... (3 Replies)
Discussion started by: jobbyjoseph
3 Replies

9. UNIX for Dummies Questions & Answers

Run non-root script as root with non-root environment

All, I want to run a non-root script as the root user with non-root environment variables with crontab. The non-root user would have environment variables for database access such as Oracle or Sybase. The root user does not have the Oracle or Sybase enviroment variables. I thought you could do... (2 Replies)
Discussion started by: bubba112557
2 Replies

10. UNIX for Dummies Questions & Answers

System Auditing

Hi all, Have been asked to learn up on providing Sytem Auditing on two SCO boxes. Where should I start and what pointers can anyone provide. Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies
Login or Register to Ask a Question