Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keeping Audit Trail of Activities from Root Login?

Posted by Cliff on from the keeping-the-admin-bit-trail dept.

supersam asks: "This question might sound a bit naive, but I am comparatively new at this. So, here goes: on one of my application, based on UNIX platform, I need to implement a mechanism by which, I can trace when an access to ROOT was attempted and what all actions were performed during that session. While info on the first part is probably available through UNIX logs, the second bit is difficult to me. The need is arising because, while it is useful for the support team to know the ROOT password as most of the wonderful things can be done with that access, it also can be a nightmare if something goes wrong and we have to trace the culprit or the root cause of the problem (config files etc...). Is there any way of keeping an audit trail of all activities performed from ROOT login in UNIX which can be traced." Interesting thought. About the easiest way to do this would be to give root it's own custom shell and log everything that shell does. Are there shells that can already do this? Has anyone else implemented such a system? If so, what did you do?

44 comments

  1. Sudo by ffsnjb · · Score: 5, Informative

    Force people who want/need to have root access to use 'sudo'. It will log all activities using syslog. This also negates the need to give lowlevel admins the root password (yay!).

    Sudo is in the ports collection for FreeBSD, no idea about linux though.

    --
    "Why do you consent to live in ignorance and fear?" - Bad Religion
    1. Re:Sudo by ryants · · Score: 4, Informative
      Sudo is in the ports collection for FreeBSD, no idea about linux though


      There are RPMs or DEBs for sudo... the package name is (originally enough) "sudo".


      sudo pacakges at RPM Find.

      --

      Ryan T. Sammartino
      "Ancora imparo"

    2. Re:Sudo by NNKK · · Score: 2, Informative

      or, thanks to a freshmeat search, you can go to sudo's homepage and get tarballs
      http://www.courtesan.com/sudo/

    3. Re:Sudo by staplin · · Score: 4, Interesting

      Though you still have to be careful with a few things...

      like "sudo sh" or "sudo su" where the only log you get is that a particular person ran sh/su, but not what they did after that point.

      But IIRC, you can configure sudo access to specific programs/commands, and can block access to ones that cause problems like this.

      And as long as you send your syslogs to a remote/secure machine you don't have to worry about a sudoer editting the logs to cover up after themselves either.

    4. Re:Sudo by extra88 · · Score: 2, Interesting

      Ditto, sudo is your friend. There are a couple of things to be aware of. First, you can tell sudo to log to a separate file if that's what you want. Second, sudo has a -s switch which gives the user a shell for root. If they use that you won't have a log of what was done in the shell. I believe the use of -s can be disabled.

      There's also the good ol' .history file, you could do something archive the .history file for root.

    5. Re:Sudo by loncarevic · · Score: 2, Informative

      1. sudo for linux exists for centuries

      2. how you will record when they type "sudo su" ?

      3. use process accouting programs, every distro have it

      i

    6. Re:Sudo by Saint+Nobody · · Score: 2

      not only that, but there's a million other programs out there that allow for access to the shell. less, for instance. it could look like somebody is innocently reading a config file as root (well, innocent as long as that's part of their job...) but they could use shell escapes to do just about anything. before you give anybody access to anything using sudo, think about how it could be used to obtain a root shell.

      and i'm not talking out of my ass here. i've run into situations at work a couple times when i couldn't find the full time admin and needed to get something done, so i used my sudo access to get a root shell. (of course i had been given permission to root our boxen in case of emergency)

      --
      #define F(x) int main(){printf(#x,10,#x);}
      F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
    7. Re:Sudo by randombit · · Score: 1

      and i'm not talking out of my ass here. i've run into situations at work a couple times when i couldn't find the full time admin and needed to get something done, so i used my sudo access to get a root shell. (of course i had been given permission to root our boxen in case of emergency)

      Yeah, that's the problem with sudo. If you configure it so anyone can do any measure of useful work, then they can also crack root with it.

      Of course that's just re-affirming the "golden rule of Unix", don't give root access of any sort unless someone needs it and can be trusted with it.

      We use it here mostly as a nice convinience, so we don't have to su back and forth (we also set it up so we can use rpm through sudo without a password - again convinient, but not secure).

    8. Re:Sudo by FortKnox · · Score: 1

      even worse. "sudo vi", then drop to shell in vi (works with emacs, too). Too many workarounds with sudo.

      --
      Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    9. Re:Sudo by Hardware · · Score: 1

      Or "sudo vi" or "sudo less" or anything else that lets you invoke a shell.

    10. Re:Sudo by sql*kitten · · Score: 2

      But IIRC, you can configure sudo access to specific programs/commands, and can block access to ones that cause problems like this.

      That's fiendishly difficult to do. Let me give you an example, what could be more innocent than the "cat" command, so a user can read the syslog for debugging? Well, "sudo cat" can be used to view or rewrite /etc/shadow, that's what!

      The problem really is deeper, in the Unix "philosophy" itself. You're either uid 0 who can do anything, or a regular user. There's no notion of really fine-grained access control. Wouldn't it be great, for example, to be able to grant a group of users the right to bind to port 80 (for example) without having to be root in the meantime? Or to create a group of users who can start and stop sendmail/popper without being able to read mail spools? There's simply no elegant way to do this - the users/groups r/w/x mechanism on the file systems just isn't flexible enough. VMS solved this problem decades ago, but its access control lists (on file system objects and system privileges) never cross-pollinated into Unix, similarly processor quotas and many tuning parameters.

      The only way to log what root does is to use a packet sniffer on a box that the root user does not have a login on, and physically secure this machine, and the main servers so they cannot have their keyboards accessed. In this case, even the use of SSH would have to be a "warning flag" that something suspicious was happening. You can't even rely on a kernel mod to track root, since the kernel can easily be replaced.

  2. Related to "Handing Over Root Passwords?" by MrBlack · · Score: 3, Interesting

    This isn't related to the "Handing Over Root Passwords to Consultants" ask slashdot a couple of items below is it? If not there may be a few good suggestions there.

  3. Try process accounting by Anonymous Coward · · Score: 4, Insightful

    For the second part of your question, you could enable process accounting. Which logs accounting information (including the UID) for every process that successfully terminates. See the man pages for acct(2) acct(5), accton(8), and sa(8).

    1. Re:Try process accounting by Bryan+Andersen · · Score: 2

      Enabling process accounting only gets you what commands were run. You don't get the arguments or actions taken within those commands.

    2. Re:Try process accounting by fsck! · · Score: 1

      That is trivialy easy to circumvent. Process accounting only kicks in when a process exists. So as long as /tmp/.. /sploit exec()s ls instead of quitting, it will never reach accounting. Unless you notice that something claiming to be ls has taken 10 minutes of cpu time in under a week, or something like that...

  4. Sudoer by LABTYD · · Score: 1

    Linux has Sudoer which you can give root to a user and they use theey're password not root
    and you can actually set how much root access
    you want them to have

    --
    LABTYD
  5. Hard Copy by cehardin · · Score: 4, Insightful

    If the system is not accessed physically then you can set up the logs to print out to an old-fashioned dot-matrix printer, even root access can't erase those :-)

    1. Re:Hard Copy by larien · · Score: 4, Informative
      Until the time he putzes about in root and causes the printer to run out of paper :)


      However, it is a valid method of logging to have syslog print to a printer; it means that if a cracker breaks into your system, you still have a log even if he deletes/modifies the log files.

  6. Sudo Homepage by staplin · · Score: 3, Informative

    Information about sudo, including docs, downloads, and mailing lists, is available at http://www.courtesan.com/sudo/index.html.

  7. Snoopy by Spacelord · · Score: 3, Informative

    There is a "wrapper" library called snoopy that can do this. It logs all commands executed to syslog. You can then let syslog log over the network to a dedicated logging host, to which your users don't have access.

    You can find snoopy here:
    http://www.citi.umich.edu/u/marius/snoopy/

  8. Gives me an idea.... by invenustus · · Score: 1
    However, it is a valid method of logging to have syslog print to a printer; it means that if a cracker breaks into your system, you still have a log even if he deletes/modifies the log files.
    It seems like there should be another way of doing that without killing a million trees a day. Maybe you could have a dedicated logging box. Every time another box makes a syslog call it could send it out as a little HTTP POST to the logging box. Of course, once the logging box gets cracked, you're no better off than you were before. Maybe there's money to be made in a "log farm" that writes all posted data to a medium that can't be rewritten immediately even if the machines get rooted - tape might be a good choice. Or make a device that punches holes in paper but in a compressed readable-only-by-machine format that saves trees.

    I'll add these to my list of Things I'd Do If I Had The Time And Weren't A Lazy Fsck.

    --
    grep -ri 'should work' /usr/src/linux | wc -l
    1. Re:Gives me an idea.... by Cryptnotic · · Score: 1
      Actually, you can set up the remote logging box to only accept log connections and deny all others (especially remote logins like telnet, rsh, ssh, etc).


      Cryptnotic

      --
      My other first post is car post.
    2. Re:Gives me an idea.... by Lancer · · Score: 2
      man syslogd


      On a less sarcastic note, remote logging is a very good idea. Security Focus has a new mailing list about Log Analysis that would probably be of some interest to you, as there's been quite a lot of discussion already about remote logging.


      You're right about one thing - it does save lots of trees :)

      --
      Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
    3. Re:Gives me an idea.... by hey_robot · · Score: 1

      Why not just have the machine "print" out the log to the parallel/serial and have the other end connected to a machine that just reads what is sent over the parallel/serial and logs it? Make this machine only accessible directly and not over a network/modem/etc. Just make sure you have enough drive space! ;) -- Dusty

    4. Re:Gives me an idea.... by invenustus · · Score: 1
      Why not just have the machine "print" out the log to the parallel/serial and have the other end connected to a machine that just reads what is sent over the parallel/serial and logs it?
      That's an excellent idea, but I'd still be afraid that if the main server got rooted, you could do some kind of DOS to the log box just by sending it too much crap. I think to really do this in a foolproof way, I'd want to keep the logs on a medium that could ONLY be destroyed or erased by accessing it in meatspace....
      --
      grep -ri 'should work' /usr/src/linux | wc -l
  9. Use a secure unix by SuiteSisterMary · · Score: 2

    One of the requirements of the higher ratings of the Orange Book is copious logging. Ridiculous amounts of logging.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  10. shell by N3MCB · · Score: 1

    I'd be carefull with putting the real root into a wrappered shell - too much can go wrong early in the boot process and a wrappered root account might not be functional depending on what pieces parts are borken. I'd create a seperate account for these people and then wrapper that one. The sudu spproach still sounds better to me as more secure in the long run but I don't think the logging was geared towards a malicious root user who would delete the logs, rather it was directed at an incompetent one that would screw the system up then hide to avoid the resulting chaos. In the latter case the wrappered shell would be less work to set up/maintain.

  11. Multiple root accounts by Anonymous Coward · · Score: 0

    Something else to consider is creating multiple independent root accounts -- such that everyone has their own root account, with a separate password.

    As long as they are all UID 0, it will work just fine. Each user can even have their own independent shell and home directory...

    This practice, while exposing your system to more risk from password-cracking, helps when you need to disable one person's root access without affecting everyone elses.

    Also: Granted anyone capable will turn it off, but consider enabling a high history and saving of history by default. (Say, the last 100,000 commands executed.)

  12. Some fairly simple ways. by AtariDatacenter · · Score: 2

    These are some halfway decent ways of tracking what is going on with the root shell. Mind you, they aren't hackproof, but they make decent information for after-the-fact investigation:

    Of course, enable your shell history. Also, turn on "lastcomm" so you can at least get the commands (but not the arguments) given at the shell prompt. Finally, more advanced versions of UNIX (I personally know HP/UX and Solaris do this) allow you to turn on snooping to system calls so you can log to disk all the nice commands and their arguments, like fork, accept, all types of disk access, etc.

    Solaris has this included in something called "bsm" (basic security module) which comes with the OS. HP/UX you have to put into "trusted" mode and enable it through SAM. The logs it creates are very difficult to make an authentic looking fake for. Possible, though. Yes, syslogging to a remote host is a good idea.

    Of course, a nice hacker would simply flood the syslogd that is keeping the logs... but you've got to decide how far you're going to go with all of this.

    Also, there are some tools, like Sun's Configuration Service Tracker, which regularly scans the system and logs configuration changes.

    Maybe there is a better way of doing all of this. But the layered approach seems to catch a lot of different things at a lot of different levels. All depending on how far you want to dig down into things.

  13. Policy solution by William+Aoki · · Score: 1

    Since this is access for (supposedly) trusted techs, you could simply let them know that they had better have a very good excuse if you catch them invoking a shell and running privlidged commands without logging. Where I work, members of %wheel have an agreement that we use sudo but not 'sudo -s' (unless it's something like 'sudo -u test -s') or 'su', so that an audit log is kept of what commands have been run. More than once the sudo log has been useful for problem hunting.

    If you don't trust your techs or you need to give out limited elevated privlidges to untrusted users, then none of what I've said applies.

  14. Modify Bash itself. by ASyndicate · · Score: 2, Interesting

    /etc/shells contains /bin/bash

    I help (in spare time) Administer a shell provider (Techcellent.com)

    What the admin did was modify bash itself.. Making a small portion of the code log something to a very obscure place that cant be accessed by anyone. Try that!.. But I think the line printer Idea is a Very Good Idea and requires the least effort

    --
    This page left intentionally blank.
  15. Well uhm.. by Anonymous Coward · · Score: 0

    Keeping track of /var/log/messages and /root/.bash_history works great for me.

    1. Re:Well uhm.. by LYNX99 · · Score: 1


      In addition to /.bash_profile, don't forget about the HASH Table (Command Logging) as well

      --
      UNIX AND VMS ARE A POWERFUL COMBINATION "Anyone who challenges me will fall into a MINDLESS daze..."
  16. Alternative to dead trees by Anonymous Coward · · Score: 0

    The LIDS project (http://www.lids.org/) provides an alternate way logging to an unmodifyable file. By enhancing the kernel's (Linux) capabilites handling, it allows you to make a file "append only" so data may be written to the end but not overwritten or erased. Using Linux capabilities, not even root can modify the file after the kernel is "sealed"; unless a seperate passwd is entered.
    This isn't a fullproof solution as the file vulnerable during reboot and does nothing to prevent overflowing the logs.

  17. Take the log out the computer by madumas · · Score: 1
    To prevent somebody deleting the logs, you have to put the log entries out the computer.

    There are many ways to do so:

    • Email every line (with a good filter on your email client or procmail it's easy to manage)
    • Log on an other server (not with nfs, but anything with "append only" access... a cgi script on the other would work well)
    • Printer (take physical place, not easy when colocating)
    • Pager (At least, receive a page for every root login or shell process ran by root)

    Using something like "tail -f nameoflog.log | scriptsend.pl" would work well.


    ---

    1. Re:Take the log out the computer by J'raxis · · Score: 3, Informative
      tail -f nameoflog.log | scriptsend.pl
      Be careful with this, if the script is set up naïvely (using <> to grab all input and then send in one command) the script would keep buffering until `tail` exits.

      You could have `tail -f` write to a named pipe (FIFO), and a script run every minute or so (crond), reading from the FIFO, and send the mail. `tail -f` would keep writing to the FIFO. Each time `scriptsend.pl` tries to read from the FIFO, it would get all the data, get EOF properly (FIFO gets cleared), send, all the while `tail` keeps writing to the FIFO. On the next run, the FIFO has new data in it for the script to use.

      % mkfifo /var/log/fifo
      % tail -f nameoflog.log > /var/log/fifo

      And, every minute:
      % scriptsend.pl < /var/log/fifo
      --
      Liberty in your lifetime
    2. Re:Take the log out the computer by debaere · · Score: 1

      Wouldn't it be easier just to tell syslogd to send the logs across the network to another computer? I believe that this is a native function of syslogd

      --

      DOS is dead, and no one cares...
      If there's a Bourne Shell, I'll see you there
  18. Include 'script' by trexl · · Score: 1

    Why not include the script command in root's bashrc and name the file name the date and time of the login, or whatever other information that you would want in the name? Put it on some special filesystem and then all is good.
    Just a thought?

    1. Re:Include 'script' by opk · · Score: 1
      That would be nice because you'd get all the output and hence the context of the commands. The trouble is if you don't want the user to know they are being logged. Script outputs 'Script started, file is output' and to remove that, you'd have the modify and recompile script. You would need to do `exec script' from the .profile not a .bashrc because in the .rc you'd get and infinite loop and without exec, they could quit script and still be in the shell.


      I'm hoping to do something like this to see what our DBA (who works directly for the client) is doing on the Sun server which I administer. She keeps changing things without telling us and it is getting annoying. Unfortunately, she knows about .profile so I can't modify that without her seeing the changes. So far, I've just kept an eye on .sh_history.

  19. Easy - use accton! by Anonymous Coward · · Score: 0

    I can't believe no one has suggested it. Turn on accounting (accton) and *all* commands are logged to /var/db/acct/.... - just grep for the root lines.

    Oh, you're probably a linux boy, in which case get FreeBSD

    1. Re:Easy - use accton! by Anonymous Coward · · Score: 0

      BSD process accounting was ported to Linux a LONG time ago (probably before BSD was able to run Linux binaries).

  20. Huh? by Anonymous Coward · · Score: 0

    Email every line (with a good filter on your email client or procmail it's easy to manage)

    Log on an other server (not with nfs, but anything with "append only" access... a cgi script on the other would work well)

    can you tell me what the point of these are?

    Why not use the tool that's designed to do the job? (namely, SYSLOG)

    Syslog is capable of sending data to another box, without resorting to ugly, inelegant hacks like the ones you suggest. (an email for every line? are you on crack? Do you have any idea how much overhead a TCP session requires? Not to mention the wasted processing power on the mail server.)

    Do yourself a favour, and learn a little bit about how Unix works before opening your mouth.

  21. Modified shell writing all to syslog. by shippo · · Score: 1
    A few years ago I used to often need root on Banyan VINES servers for debugging/maintenance issues.



    The Bourne shell used by root was modified to log all commands to a number of files in a particular directory (/etc?). The files were written to in a circular fashion - when one file was full, the next would be overwritten.



    The really odd thing was that these logs were not written to immediately, but were flushed out sometime in the future, often after the shell had been closed. I never got to find out how this worked, but I assume that the syslog equivalent was responsible.



    Of course on this system there were very few tools, and most of them were derived from mid 1980s code. I'm not even sure if it was possible to get a shell from their implemantion of vi - it was a very broken vi implementation.



    This logging was pointless, however. The majority of root access was used to query and modify the various security databases via a number of text based tools. If run interactivly these would not log anything.

  22. Or try another approach ... by CodeSpotter · · Score: 1


    How can I log so that I have a trail left to examine?



    This question is easy to answer: turn on logging as much as possible. The only downside is that anyone with root access can alter or delete those logs. Process accounting as a means for logging what root is doing, is easy to implement but very hard to use. PA only logs when a command finishes, so most of the time you will have all the commands in the reverse order they were executed. And it doesn't log arguments. So it certainly does not give you a bullet proof solution. The best solution here is to try logging to a remote computer, syslog has facilities to do just this. Using sudo, a well known tool on Linux, is also an option. Using sudo however is not that easy as it seems. You have to carefully enumerate the list of commands the user can execute. Enlisting "vim" for instance, opens up sudo to every command since in vim you can start a shell as root in that case.



    Another interesting point to mention here is that it is probably better to prevent then to cure. Abuse of the root account, a break in, ... can be made very difficult but not impossible. Limiting the damage in such a case is probably the most important step to take. Make sure that whenever such an event occurs, you can go back to a safe and functional server using backups or anything similar.