Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keeping Audit Trail of Activities from Root Login?

Posted by Cliff on from the keeping-the-admin-bit-trail dept.

supersam asks: "This question might sound a bit naive, but I am comparatively new at this. So, here goes: on one of my application, based on UNIX platform, I need to implement a mechanism by which, I can trace when an access to ROOT was attempted and what all actions were performed during that session. While info on the first part is probably available through UNIX logs, the second bit is difficult to me. The need is arising because, while it is useful for the support team to know the ROOT password as most of the wonderful things can be done with that access, it also can be a nightmare if something goes wrong and we have to trace the culprit or the root cause of the problem (config files etc...). Is there any way of keeping an audit trail of all activities performed from ROOT login in UNIX which can be traced." Interesting thought. About the easiest way to do this would be to give root it's own custom shell and log everything that shell does. Are there shells that can already do this? Has anyone else implemented such a system? If so, what did you do?

20 of 44 comments (clear)

  1. Sudo by ffsnjb · · Score: 5, Informative

    Force people who want/need to have root access to use 'sudo'. It will log all activities using syslog. This also negates the need to give lowlevel admins the root password (yay!).

    Sudo is in the ports collection for FreeBSD, no idea about linux though.

    --
    "Why do you consent to live in ignorance and fear?" - Bad Religion
    1. Re:Sudo by ryants · · Score: 4, Informative
      Sudo is in the ports collection for FreeBSD, no idea about linux though


      There are RPMs or DEBs for sudo... the package name is (originally enough) "sudo".


      sudo pacakges at RPM Find.

      --

      Ryan T. Sammartino
      "Ancora imparo"

    2. Re:Sudo by NNKK · · Score: 2, Informative

      or, thanks to a freshmeat search, you can go to sudo's homepage and get tarballs
      http://www.courtesan.com/sudo/

    3. Re:Sudo by staplin · · Score: 4, Interesting

      Though you still have to be careful with a few things...

      like "sudo sh" or "sudo su" where the only log you get is that a particular person ran sh/su, but not what they did after that point.

      But IIRC, you can configure sudo access to specific programs/commands, and can block access to ones that cause problems like this.

      And as long as you send your syslogs to a remote/secure machine you don't have to worry about a sudoer editting the logs to cover up after themselves either.

    4. Re:Sudo by extra88 · · Score: 2, Interesting

      Ditto, sudo is your friend. There are a couple of things to be aware of. First, you can tell sudo to log to a separate file if that's what you want. Second, sudo has a -s switch which gives the user a shell for root. If they use that you won't have a log of what was done in the shell. I believe the use of -s can be disabled.

      There's also the good ol' .history file, you could do something archive the .history file for root.

    5. Re:Sudo by loncarevic · · Score: 2, Informative

      1. sudo for linux exists for centuries

      2. how you will record when they type "sudo su" ?

      3. use process accouting programs, every distro have it

      i

    6. Re:Sudo by Saint+Nobody · · Score: 2

      not only that, but there's a million other programs out there that allow for access to the shell. less, for instance. it could look like somebody is innocently reading a config file as root (well, innocent as long as that's part of their job...) but they could use shell escapes to do just about anything. before you give anybody access to anything using sudo, think about how it could be used to obtain a root shell.

      and i'm not talking out of my ass here. i've run into situations at work a couple times when i couldn't find the full time admin and needed to get something done, so i used my sudo access to get a root shell. (of course i had been given permission to root our boxen in case of emergency)

      --
      #define F(x) int main(){printf(#x,10,#x);}
      F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
    7. Re:Sudo by sql*kitten · · Score: 2

      But IIRC, you can configure sudo access to specific programs/commands, and can block access to ones that cause problems like this.

      That's fiendishly difficult to do. Let me give you an example, what could be more innocent than the "cat" command, so a user can read the syslog for debugging? Well, "sudo cat" can be used to view or rewrite /etc/shadow, that's what!

      The problem really is deeper, in the Unix "philosophy" itself. You're either uid 0 who can do anything, or a regular user. There's no notion of really fine-grained access control. Wouldn't it be great, for example, to be able to grant a group of users the right to bind to port 80 (for example) without having to be root in the meantime? Or to create a group of users who can start and stop sendmail/popper without being able to read mail spools? There's simply no elegant way to do this - the users/groups r/w/x mechanism on the file systems just isn't flexible enough. VMS solved this problem decades ago, but its access control lists (on file system objects and system privileges) never cross-pollinated into Unix, similarly processor quotas and many tuning parameters.

      The only way to log what root does is to use a packet sniffer on a box that the root user does not have a login on, and physically secure this machine, and the main servers so they cannot have their keyboards accessed. In this case, even the use of SSH would have to be a "warning flag" that something suspicious was happening. You can't even rely on a kernel mod to track root, since the kernel can easily be replaced.

  2. Related to "Handing Over Root Passwords?" by MrBlack · · Score: 3, Interesting

    This isn't related to the "Handing Over Root Passwords to Consultants" ask slashdot a couple of items below is it? If not there may be a few good suggestions there.

  3. Try process accounting by Anonymous Coward · · Score: 4, Insightful

    For the second part of your question, you could enable process accounting. Which logs accounting information (including the UID) for every process that successfully terminates. See the man pages for acct(2) acct(5), accton(8), and sa(8).

    1. Re:Try process accounting by Bryan+Andersen · · Score: 2

      Enabling process accounting only gets you what commands were run. You don't get the arguments or actions taken within those commands.

  4. Hard Copy by cehardin · · Score: 4, Insightful

    If the system is not accessed physically then you can set up the logs to print out to an old-fashioned dot-matrix printer, even root access can't erase those :-)

    1. Re:Hard Copy by larien · · Score: 4, Informative
      Until the time he putzes about in root and causes the printer to run out of paper :)


      However, it is a valid method of logging to have syslog print to a printer; it means that if a cracker breaks into your system, you still have a log even if he deletes/modifies the log files.

  5. Sudo Homepage by staplin · · Score: 3, Informative

    Information about sudo, including docs, downloads, and mailing lists, is available at http://www.courtesan.com/sudo/index.html.

  6. Snoopy by Spacelord · · Score: 3, Informative

    There is a "wrapper" library called snoopy that can do this. It logs all commands executed to syslog. You can then let syslog log over the network to a dedicated logging host, to which your users don't have access.

    You can find snoopy here:
    http://www.citi.umich.edu/u/marius/snoopy/

  7. Use a secure unix by SuiteSisterMary · · Score: 2

    One of the requirements of the higher ratings of the Orange Book is copious logging. Ridiculous amounts of logging.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  8. Re:Gives me an idea.... by Lancer · · Score: 2
    man syslogd


    On a less sarcastic note, remote logging is a very good idea. Security Focus has a new mailing list about Log Analysis that would probably be of some interest to you, as there's been quite a lot of discussion already about remote logging.


    You're right about one thing - it does save lots of trees :)

    --
    Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
  9. Some fairly simple ways. by AtariDatacenter · · Score: 2

    These are some halfway decent ways of tracking what is going on with the root shell. Mind you, they aren't hackproof, but they make decent information for after-the-fact investigation:

    Of course, enable your shell history. Also, turn on "lastcomm" so you can at least get the commands (but not the arguments) given at the shell prompt. Finally, more advanced versions of UNIX (I personally know HP/UX and Solaris do this) allow you to turn on snooping to system calls so you can log to disk all the nice commands and their arguments, like fork, accept, all types of disk access, etc.

    Solaris has this included in something called "bsm" (basic security module) which comes with the OS. HP/UX you have to put into "trusted" mode and enable it through SAM. The logs it creates are very difficult to make an authentic looking fake for. Possible, though. Yes, syslogging to a remote host is a good idea.

    Of course, a nice hacker would simply flood the syslogd that is keeping the logs... but you've got to decide how far you're going to go with all of this.

    Also, there are some tools, like Sun's Configuration Service Tracker, which regularly scans the system and logs configuration changes.

    Maybe there is a better way of doing all of this. But the layered approach seems to catch a lot of different things at a lot of different levels. All depending on how far you want to dig down into things.

  10. Modify Bash itself. by ASyndicate · · Score: 2, Interesting

    /etc/shells contains /bin/bash

    I help (in spare time) Administer a shell provider (Techcellent.com)

    What the admin did was modify bash itself.. Making a small portion of the code log something to a very obscure place that cant be accessed by anyone. Try that!.. But I think the line printer Idea is a Very Good Idea and requires the least effort

    --
    This page left intentionally blank.
  11. Re:Take the log out the computer by J'raxis · · Score: 3, Informative
    tail -f nameoflog.log | scriptsend.pl
    Be careful with this, if the script is set up naïvely (using <> to grab all input and then send in one command) the script would keep buffering until `tail` exits.

    You could have `tail -f` write to a named pipe (FIFO), and a script run every minute or so (crond), reading from the FIFO, and send the mail. `tail -f` would keep writing to the FIFO. Each time `scriptsend.pl` tries to read from the FIFO, it would get all the data, get EOF properly (FIFO gets cleared), send, all the while `tail` keeps writing to the FIFO. On the next run, the FIFO has new data in it for the script to use.

    % mkfifo /var/log/fifo
    % tail -f nameoflog.log > /var/log/fifo

    And, every minute:
    % scriptsend.pl < /var/log/fifo
    --
    Liberty in your lifetime