FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-08-2012, 04:56 PM
Heng Su
 
Default How protect bash history file, do audit alike in server

hello,

I want to protect the history file from deleted for all users except
user 'root' can do it, is that possible?
For my server, many users can log in with root from remote through
ssh, so I can not trace which guy do wrong things. So I decide to create
new account for every users and let them use 'sudo' then I can trace
which guy typed which command and what he did. However, even if I create
new account for every user, they also can delete the history of them
self easily.

How should I do. I believe everyone encountered such things
normally. I think there is a gracefully solution for it as I am not
experience on server manage. So any suggestions for how to trace user
like to write down which user did as an audit trail and let it can not
deletable exclude root user?

Thanks!

--
Best Regards,
Su Heng

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 05:17 PM
Harold Pritchett
 
Default How protect bash history file, do audit alike in server

Use remote logging to a second machine which only you have access to.

http://www.linuxjournal.com/content/creating-centralized-syslog-server

Harold

8/8/2012 12:56 PM, Heng Su wrote:
> hello,
>
> I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
> For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
> How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
>
> Thanks!
>


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 05:32 PM
Rajagopal Swaminathan
 
Default How protect bash history file, do audit alike in server

Greetings,

On Wed, Aug 8, 2012 at 10:26 PM, Heng Su <ste.suheng@gmail.com> wrote:
> hello,
> For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
> How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?

Perhaps you can look at inotify, put the .bash_history on its
watchlist and then rsync the changes to a remote host.

Haven't tried it though.

HTH
--
Regards,

Rajagopal
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 05:42 PM
 
Default How protect bash history file, do audit alike in server

Heng Su wrote:
> hello,
>
> I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
> For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
> How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?

So, you've got someone inside, who's doing nasty, or stupid, things?

The most obnoxious, stupid idea I've had to deal with was a few years ago,
when the company I was subcontracting for put something in the .profile to
log every. single. command. a developer issued....

However, since you've set up sudo for them, their commands should *also*
be in /var/log/secure. Of course, what you need is a script to grab that,
and attach to it which user had sudo'd.

Hmmm, as I type that, I just got to thinking: do they need all root
privileges, or do specific users only need certain commands? If so, it's
easy enough to limit what commands they're allowed to run under sudo - man
sudoers.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 05:54 PM
Les Mikesell
 
Default How protect bash history file, do audit alike in server

On Wed, Aug 8, 2012 at 11:56 AM, Heng Su <ste.suheng@gmail.com> wrote:
>
> I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
> For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
> How should I do. I believe everyone encountered such things
> normally.

No, it is not a common situation. Normally you should not let anyone
you don't trust become root. For fairly obvious reasons...

> I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?

First, why do so many users need the root password? If they are
developers testing things, give them their own VM to break. If they
are doing a few routine things, make them log in as themselves and use
restricted sudo commands (i.e. don't permit 'sudo su -'. In any case,
backups are your friend. Keep copies of anything you might need
updated with frequent rsync's from a different, more restricted
machine - including the log files you might want to track.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:00 PM
Mihamina Rakotomandimby
 
Default How protect bash history file, do audit alike in server

Use sudo.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:02 PM
Heng Su
 
Default How protect bash history file, do audit alike in server

Hi mark,

Great! I think those you mentioned is exactly what I want.
Normally, I want to trace which guy got wrong things in server.

I tried the link that Harold provided find it's a good idea to
protect log files, however, I want to know is which guy type which command.

the /var/log/secure is what I want, thank you so much.

I can not limit the sudo commands , like cp command.

For instance, a small team 4 developers, we deploy some code file to
this server, however, someone let say new guy overwrite wrong file. I
need to trace on it and inform him carefully.

thanks.

On 08/09/2012 01:42 AM, m.roth@5-cent.us wrote:
> Heng Su wrote:
>> hello,
>>
>> I want to protect the history file from deleted for all users except
>> user 'root' can do it, is that possible?
>> For my server, many users can log in with root from remote through
>> ssh, so I can not trace which guy do wrong things. So I decide to create
>> new account for every users and let them use 'sudo' then I can trace
>> which guy typed which command and what he did. However, even if I create
>> new account for every user, they also can delete the history of them
>> self easily.
>>
>> How should I do. I believe everyone encountered such things
>> normally. I think there is a gracefully solution for it as I am not
>> experience on server manage. So any suggestions for how to trace user
>> like to write down which user did as an audit trail and let it can not
>> deletable exclude root user?
> So, you've got someone inside, who's doing nasty, or stupid, things?
>
> The most obnoxious, stupid idea I've had to deal with was a few years ago,
> when the company I was subcontracting for put something in the .profile to
> log every. single. command. a developer issued....
>
> However, since you've set up sudo for them, their commands should *also*
> be in /var/log/secure. Of course, what you need is a script to grab that,
> and attach to it which user had sudo'd.
>
> Hmmm, as I type that, I just got to thinking: do they need all root
> privileges, or do specific users only need certain commands? If so, it's
> easy enough to limit what commands they're allowed to run under sudo - man
> sudoers.
>
> mark
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


--
Best Regards,
Su Heng

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:14 PM
Rajagopal Swaminathan
 
Default How protect bash history file, do audit alike in server

Greetings,

On Wed, Aug 8, 2012 at 11:32 PM, Heng Su <ste.suheng@gmail.com> wrote:
> this server, however, someone let say new guy overwrite wrong file. I
> need to trace on it and inform him carefully.

SCMs like SVN, git etc. are exactly for such events.

You are taking backups, aren't you?

--
Regards,

Rajagopal
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:23 PM
Heng Su
 
Default How protect bash history file, do audit alike in server

On 08/09/2012 02:14 AM, Rajagopal Swaminathan wrote:
> Greetings,
>
> On Wed, Aug 8, 2012 at 11:32 PM, Heng Su <ste.suheng@gmail.com> wrote:
>> this server, however, someone let say new guy overwrite wrong file. I
>> need to trace on it and inform him carefully.
> SCMs like SVN, git etc. are exactly for such events.
>
> You are taking backups, aren't you?
Yeah I know the bakups, It's only for making sure server running
properly quickly after incident. However, you don't know which guy got
wrong things.
Normal flow is get codes from SCMs repository or do CI server, however,
you know some small company got such thing messy (my current company,
lol ^_^). Sometime you have to update only one file of the project.
>



--
Best Regards,
Su Heng

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:34 PM
Brian Mathis
 
Default How protect bash history file, do audit alike in server

On Wed, Aug 8, 2012 at 12:56 PM, Heng Su <ste.suheng@gmail.com> wrote:
> I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
> For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
> How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
>
> Thanks!
> Su Heng


Capturing history files is error-prone and a very bad way to approach
this problem. You should instead look into using process accounting,
provided by the psacct package. You can read about it here:
http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html


❧ Brian Mathis
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org