conversekid
asked on
login sudo su - attempts
HI I we have multiple users in shared platform where in people use sudo su - to become root in solaris platform. I double some users are becoming root and doing some mischevious activities. I want to monitor / document the list of users who are becoming root using sudo. Thanks in advance
If this is Solaris 10, the default root shell is bash, so all the commands will be logged in .bash_history
ASKER
Yeah thats correct but I need to do the same in solaris 9. Is there any way by which I can do that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The point of sudo is to provide a way for non-root users to execute particular commands in a controlled manner. Just disallow any shells from the sudo list and then the users will need to log each individual command.
If that is too much of a problem, you could turn on process accounting and auditing. This will allow you to reconstruct the commands run, although it won't show you the arguments to the commands.
If that is too much of a problem, you could turn on process accounting and auditing. This will allow you to reconstruct the commands run, although it won't show you the arguments to the commands.
ASKER
Hi Blu, Thaks much..I think you are driving me towards the solution. Can you tell me more about turning on process accounting and auditing. Will I be able to get all the commands executed by each individual user if I do that ? Thanks.
Yes. Process accounting tracks all of the processes run on the system, so you can list all of the commands run. Auditing lists important "events" and who did them.
Consider looking at what you need sudo for in the first place. It is not wise to allow a user to get a shell as the root user, that is not what it is for. You should look at the RBAC facilities in Solaris as well. The point is, never allow root access to your system by people you do not trust. You apparently have violated this key principle.
Consider looking at what you need sudo for in the first place. It is not wise to allow a user to get a shell as the root user, that is not what it is for. You should look at the RBAC facilities in Solaris as well. The point is, never allow root access to your system by people you do not trust. You apparently have violated this key principle.
ASKER
HI Blu,
I understand what you are saying. But the root access is already given. The users are internal company employees. They need to install and configure web servers and thereby require root access..
/etc/passwd file is getting corrupted once in a wile. I have to reboot the system from the cd to restore the file. I am trying to find who is doing this.
Can you help me with the commands for process accounting and auditing. Thanks much ..
I understand what you are saying. But the root access is already given. The users are internal company employees. They need to install and configure web servers and thereby require root access..
/etc/passwd file is getting corrupted once in a wile. I have to reboot the system from the cd to restore the file. I am trying to find who is doing this.
Can you help me with the commands for process accounting and auditing. Thanks much ..
How is it corrupted? What makes you think that it is done maliciously? Are your admins editing it directly? If it is edited directly, it should only ever be edited using the vipw command, that it what it is for.
ASKER
Hi Blu:
We are not editing the /passwd file at all. Its getting corrupted by itself. We are unable to find the reason. We have 2 nodes. Its happening on both the nodes.
We are not editing the /passwd file at all. Its getting corrupted by itself. We are unable to find the reason. We have 2 nodes. Its happening on both the nodes.
Okay. So, what OS rev are you using? Even with auditing and such, it will be hard to catch changes to the /etc/passwd file. If you are using Solaris 10, then you can use dtrace, which is a much finer grained tool.
But what makes you think that the corruption is malicious? It sound more likely that there is a script or program somewhere that updates the /etc/passwd file without locking it first.
But what makes you think that the corruption is malicious? It sound more likely that there is a script or program somewhere that updates the /etc/passwd file without locking it first.
ASKER
Hi
we are using solaris 5.9.. I agree with you. There should be a scipt somewhere. But the script is not in the crontab file of the root user. How can I detect the script? Is there any way to prevent it?
we are using solaris 5.9.. I agree with you. There should be a scipt somewhere. But the script is not in the crontab file of the root user. How can I detect the script? Is there any way to prevent it?
I think that knowing what the corruption looks like should give a clue. How is the file corrupted?
I know this is off topic, but you should really consider upgrading to Solaris 10. It is way more advanced than Solaris 9
I know this is off topic, but you should really consider upgrading to Solaris 10. It is way more advanced than Solaris 9
ASKER
yeah thats a good idea..But you know it takes time...here is the corrupted file:
************************** ***
HÈñ¾D1p5 lOD1p5 l.ϽHÈñÞD1p5 »D1p5
#HÈñ ¬D£H¹¼MQQ.ϾHÈñþD1p5 1p5 .ϾHÈñ_ 1D1p5 ²¿D1p5 ³.Ï¿HÈñ_ UD1p5 ÊlD1p5 Ê°.Ï¿HÈñ_ uD1p5 áÖD1p5 âHÈñ]
£F¯ªH¹¼CãgèHÈñ <¯jÆH¹¼L^Lj.ÏÀHÈñ_ ¦D1p5 ùXD1p5 ù.ÏÀHÈñ_^LD1p5
ÅD1p5
àHÈñMõD1`¡%D1`¡%.HÈñ]HÇÑ"
¬ÀHÇÑ".ÏÁHÈñ_^L»D1p5
(GD1p5
(
.ÏÁHÈñ_^LßD1p5
?òD1p5
D1p5ÈñD=^L¤D=^L°.ÏÂHÈñ_
W]D1p5
$D1p5Èñ_
nàD1p5
Ú¸D1`âsCD1`âsëHÈñ_
ED1p5Èñ_L
bD1p5
HÈñ]
fD1p5¹¼KÏ.ÏÃHÈñ_
D1p5ñ_CD2Þã>D2ÞãI.ÏÄHÈñ_
µäD1p5
¶$.ÏÄ
¨D1p5ñ_
ÍcD1p5
ÈD1p5HÈñ_
äåD1p5
å'
HÈñ SFTØâH¹¼L^L
±3<¯zUH¹¼B
߬ÂPHÈñ_
D1a
½D1a
È.ÏÈHÈñ_³D1p5
]D1p5
.ÏÉHÈñ_ÕD1p5
¡D1p5
¡I.ÏÉHÈñ_÷D1p5
¸D1p5
¸È.ÏÊHÈñ_D1p5
ÏõD1p5
Ð6.ÏÊHÈñ_;D1p5
çvD1p5
ç¹.ÏËHÈñ_\D1p5
þøD1p5
ÿ;.ÏHÈñ_þD1p5÷%D1p5÷T.ÏËHÈ ñ_}D1p5^LD 1p5^LÏ.ÏÌH Èñ_D1p5^L.
D1p5^L.R.ÏlHÈñ_D4A>-D4A>-. ÑHÈñ] @¤D=£sD=£.ÏÌHÈñ_À
UNHЪ
.ÏÎHÈñ_&D1p5^LD1p5^LØ÷HÈñ[ ¨
>ÞH¹¼MT0MøÔHÈñ"A´P»H¹¾[^L¼ è.ÏÎHÈñ_HD 1p5^L¤D1p5 ^L¤ÍMøÔHÈñ ]
ÚA´PÂH¹¾[^LÀÐ.ÏÏHÈñ_jD1p5^ L¼§D1p5^L¼ îT4 UHÈñ_
ÆÀcÑ
FøB@^LÚ¨Ðp`8C|
TTHTTHTHëþÿÿ¯ªÿÿÿªúÿ«ªª»wï îîþÿÿÿÿÿ¥
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿUºªªª ªªªªªªêïÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿ
¬ÅÿÿÿÿÿÿÿÿÿÿÿÿÿÿWUU««ZUUÝ ÞnuUZÕwý ÿÿÿÿÿÿÿÿÿÿ ÿöÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿ Þ^Uýÿÿ÷VUU UUUUUUUUUU UUUUµUUUUU UUUUUUUUUU UUUÕVUUU[U ÕUUUUUUUUU µªªªªªªªªª VUUUUUUUUÕ ®VUõÿ×nUýÿ ÿV÷ÿÿ¿ªþÿÿ ¿ªþÿÿߪªªª UUUÕÿÿýÿÿÿ ÿ
**************************
HÈñ¾D1p5 lOD1p5 l.ϽHÈñÞD1p5 »D1p5
#HÈñ ¬D£H¹¼MQQ.ϾHÈñþD1p5 1p5 .ϾHÈñ_ 1D1p5 ²¿D1p5 ³.Ï¿HÈñ_ UD1p5 ÊlD1p5 Ê°.Ï¿HÈñ_ uD1p5 áÖD1p5 âHÈñ]
£F¯ªH¹¼CãgèHÈñ <¯jÆH¹¼L^Lj.ÏÀHÈñ_ ¦D1p5 ùXD1p5 ù.ÏÀHÈñ_^LD1p5
ÅD1p5
àHÈñMõD1`¡%D1`¡%.HÈñ]HÇÑ"
¬ÀHÇÑ".ÏÁHÈñ_^L»D1p5
(GD1p5
(
.ÏÁHÈñ_^LßD1p5
?òD1p5
D1p5ÈñD=^L¤D=^L°.ÏÂHÈñ_
W]D1p5
$D1p5Èñ_
nàD1p5
Ú¸D1`âsCD1`âsëHÈñ_
ED1p5Èñ_L
bD1p5
HÈñ]
fD1p5¹¼KÏ.ÏÃHÈñ_
D1p5ñ_CD2Þã>D2ÞãI.ÏÄHÈñ_
µäD1p5
¶$.ÏÄ
¨D1p5ñ_
ÍcD1p5
ÈD1p5HÈñ_
äåD1p5
å'
HÈñ SFTØâH¹¼L^L
±3<¯zUH¹¼B
߬ÂPHÈñ_
D1a
½D1a
È.ÏÈHÈñ_³D1p5
]D1p5
.ÏÉHÈñ_ÕD1p5
¡D1p5
¡I.ÏÉHÈñ_÷D1p5
¸D1p5
¸È.ÏÊHÈñ_D1p5
ÏõD1p5
Ð6.ÏÊHÈñ_;D1p5
çvD1p5
ç¹.ÏËHÈñ_\D1p5
þøD1p5
ÿ;.ÏHÈñ_þD1p5÷%D1p5÷T.ÏËHÈ
D1p5^L.R.ÏlHÈñ_D4A>-D4A>-.
UNHЪ
.ÏÎHÈñ_&D1p5^LD1p5^LØ÷HÈñ[
>ÞH¹¼MT0MøÔHÈñ"A´P»H¹¾[^L¼
ÚA´PÂH¹¾[^LÀÐ.ÏÏHÈñ_jD1p5^
ÆÀcÑ
FøB@^LÚ¨Ðp`8C|
TTHTTHTHëþÿÿ¯ªÿÿÿªúÿ«ªª»wï
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
¬ÅÿÿÿÿÿÿÿÿÿÿÿÿÿÿWUU««ZUUÝ
Ouch. Looks like some kind of database or image file. There is a lot of repetition going on there. I would try running the strings command on it to see if there is anything in ASCII in there to find, and to dump some of it out with the od command, maybe "od -xc"
ASKER
hi
some output of od -xc is :
0005540 abaa aabb 77ef eeee feff ffff ffff a50a
253 252 252 273 w 357 356 356 376 377 377 377 377 377 245 \n
0005560 0000 0000 00ff ffff ffff ffff ffff ffff
\0 \0 \0 \0 \0 377 377 377 377 377 377 377 377 377 377 377
0005600 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0005720 ffff ffff ffff ffff ffff 7f55 adba aaaa
377 377 377 377 377 377 377 377 377 377 177 U 255 272 252 252
0005740 aaaa aaaa aaaa aaea efff ffff ffff ffff
252 252 252 252 252 252 252 352 357 377 377 377 377 377 377 377
0005760 ffff ffff ffff ffff 000a 0da0 0002 acc5
377 377 377 377 377 377 377 377 \0 \n \r 240 \0 002 254 305
0006000 ffff ffff ffff ffff ffff ffff ffff 5755
377 377 377 377 377 377 377 377 377 377 377 377 377 377 W U
0006020 55ab ab5a 5555 ddde ad6e 7555 ad5a d577
U 253 253 Z U U 335 336 255 n u U 255 Z 325 w
0006040 fdff ffff ffff ffff ffff ffff f6ff ffff
375 377 377 377 377 377 377 377 377 377 377 377 366 377 377 377
0006060 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0006120 ffff ff7f ffde 5e55 fdff fff7 5655 5555
377 377 377 177 377 336 ^ U 375 377 377 367 V U U U
0006140 5555 5555 5555 5555 5555 5555 55b5 5555
U U U U U U U U U U U U U 265 U U
0006160 5555 5555 5555 5555 5555 5555 5555 5555
U U U U U U U U U U U U U U U U
0006200 d556 5555 555b 55d5 5555 5555 5555 5555
325 V U U U [ U 325 U U U U U U U U
0006220 55b5 aaaa aaaa aaaa aaaa aa56 5555 5555
U 265 252 252 252 252 252 252 252 252 252 V U U U U
0006240 5555 5555 d5ae 5655 f5ff fa7f d76e 55fd
U U U U 325 256 V U 365 377 372 177 327 n U 375
0006260 ffff 56f7 ffff bfaa feff ffbf aafe ffff
377 377 V 367 377 377 277 252 376 377 377 277 252 376 377 377
0006300 dfaa aaaa aa55 5555 d5ff fffd ffff ffff
337 252 252 252 252 U U U 325 377 377 375 377 377 377 377
0006320 0300 0000 0000 0000 0000 0000
003 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
some output of strings is :
F:=k
F:=k
D1p5
D1p5
/D1p5
D1p5
PD1p5
D1p5
rD1p5
ZmD1p5
D1p5
D1p5
D1p5
]D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
;D1p5
vD1p5
\D1p5
D1p5
D1p5
%D1p5
}D1p5
D1p5
D1p5
D1p5
>-D4
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
_NF:=
some output of od -xc is :
0005540 abaa aabb 77ef eeee feff ffff ffff a50a
253 252 252 273 w 357 356 356 376 377 377 377 377 377 245 \n
0005560 0000 0000 00ff ffff ffff ffff ffff ffff
\0 \0 \0 \0 \0 377 377 377 377 377 377 377 377 377 377 377
0005600 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0005720 ffff ffff ffff ffff ffff 7f55 adba aaaa
377 377 377 377 377 377 377 377 377 377 177 U 255 272 252 252
0005740 aaaa aaaa aaaa aaea efff ffff ffff ffff
252 252 252 252 252 252 252 352 357 377 377 377 377 377 377 377
0005760 ffff ffff ffff ffff 000a 0da0 0002 acc5
377 377 377 377 377 377 377 377 \0 \n \r 240 \0 002 254 305
0006000 ffff ffff ffff ffff ffff ffff ffff 5755
377 377 377 377 377 377 377 377 377 377 377 377 377 377 W U
0006020 55ab ab5a 5555 ddde ad6e 7555 ad5a d577
U 253 253 Z U U 335 336 255 n u U 255 Z 325 w
0006040 fdff ffff ffff ffff ffff ffff f6ff ffff
375 377 377 377 377 377 377 377 377 377 377 377 366 377 377 377
0006060 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0006120 ffff ff7f ffde 5e55 fdff fff7 5655 5555
377 377 377 177 377 336 ^ U 375 377 377 367 V U U U
0006140 5555 5555 5555 5555 5555 5555 55b5 5555
U U U U U U U U U U U U U 265 U U
0006160 5555 5555 5555 5555 5555 5555 5555 5555
U U U U U U U U U U U U U U U U
0006200 d556 5555 555b 55d5 5555 5555 5555 5555
325 V U U U [ U 325 U U U U U U U U
0006220 55b5 aaaa aaaa aaaa aaaa aa56 5555 5555
U 265 252 252 252 252 252 252 252 252 252 V U U U U
0006240 5555 5555 d5ae 5655 f5ff fa7f d76e 55fd
U U U U 325 256 V U 365 377 372 177 327 n U 375
0006260 ffff 56f7 ffff bfaa feff ffbf aafe ffff
377 377 V 367 377 377 277 252 376 377 377 277 252 376 377 377
0006300 dfaa aaaa aa55 5555 d5ff fffd ffff ffff
337 252 252 252 252 U U U 325 377 377 375 377 377 377 377
0006320 0300 0000 0000 0000 0000 0000
003 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
some output of strings is :
F:=k
F:=k
D1p5
D1p5
/D1p5
D1p5
PD1p5
D1p5
rD1p5
ZmD1p5
D1p5
D1p5
D1p5
]D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
;D1p5
vD1p5
\D1p5
D1p5
D1p5
%D1p5
}D1p5
D1p5
D1p5
D1p5
>-D4
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
_NF:=
Well, nothing jumps out at me, although I think that it looks more like image data than anything else to me. What are the first few bytes of the passwd file?
ASKER
Hi please see the information below
[root@v02226:/tmp] #> strings passwd.bad.091108
D1p5
lOD1p5
D1p5
D1p5
D1p5
=D1p5
1D1p5
D1p5
UD1p5
lD1p5
uD1p5
D1p5
D1p5
XD1p5
D1p5
D1p5
D1p5
(GD1p5
D1p5
D1p5
D1p5
W]D1p5
$D1p5
[root@v02226:/tmp] #> od -xc passwd.bad.091108 | more
0000000 0000 0018 0000 0007 48c8 f15f 000e 08be
\0 \0 \0 030 \0 \0 \0 007 H 310 361 _ \0 016 \b 276
0000020 4431 7035 0009 6c4f 4431 7035 0009 6c91
D 1 p 5 \0 \t l O D 1 p 5 \0 \t l 221
0000040 0000 0000 2ecf bd90 0000 0018 0000 0007
\0 \0 \0 \0 . 317 275 220 \0 \0 \0 030 \0 \0 \0 007
0000060 48c8 f15f 000e 08de 4431 7035 0009 83bb
H 310 361 _ \0 016 \b 336 D 1 p 5 \0 \t 203 273
0000100 4431 7035 0009 8400 0000 0000 0323 8710
D 1 p 5 \0 \t 204 \0 \0 \0 \0 \0 003 # 207 020
0000120 0000 0018 0000 0007 48c8 f15d 0008 20ac
\0 \0 \0 030 \0 \0 \0 007 H 310 361 ] \0 \b 254
0000140 44a3 1f8a 0000 0000 48b9 bc4d 0006 5151
D 243 037 212 \0 \0 \0 \0 H 271 274 M \0 006 Q Q
0000160 0000 0000 2ecf be10 0000 0018 0000 0007
\0 \0 \0 \0 . 317 276 020 \0 \0 \0 030 \0 \0 \0 007
0000200 48c8 f15f 000e 08fe 4431 7035 0009 9b3d
H 310 361 _ \0 016 \b 376 D 1 p 5 \0 \t 233 =
0000220 4431 7035 0009 9b7e 0000 0000 2ecf be90
D 1 p 5 \0 \t 233 ~ \0 \0 \0 \0 . 317 276 220
0000240 0000 0018 0000 0007 48c8 f15f 000e 0931
\0 \0 \0 030 \0 \0 \0 007 H 310 361 _ \0 016 \t 1
0000260 4431 7035 0009 b2bf 4431 7035 0009 b303
D 1 p 5 \0 \t 262 277 D 1 p 5 \0 \t 263 003
0000300 0000 0000 2ecf bf10 0000 0018 0000 0007
\0 \0 \0 \0 . 317 277 020 \0 \0 \0 030 \0 \0 \0 007
0000320 48c8 f15f 000e 0955 4431 7035 0009 ca6c
H 310 361 _ \0 016 \t U D 1 p 5 \0 \t 312 l
0000340 4431 7035 0009 cab0 0000 0000 2ecf bf90
[root@v02226:/tmp] #> strings passwd.bad.091108
D1p5
lOD1p5
D1p5
D1p5
D1p5
=D1p5
1D1p5
D1p5
UD1p5
lD1p5
uD1p5
D1p5
D1p5
XD1p5
D1p5
D1p5
D1p5
(GD1p5
D1p5
D1p5
D1p5
W]D1p5
$D1p5
[root@v02226:/tmp] #> od -xc passwd.bad.091108 | more
0000000 0000 0018 0000 0007 48c8 f15f 000e 08be
\0 \0 \0 030 \0 \0 \0 007 H 310 361 _ \0 016 \b 276
0000020 4431 7035 0009 6c4f 4431 7035 0009 6c91
D 1 p 5 \0 \t l O D 1 p 5 \0 \t l 221
0000040 0000 0000 2ecf bd90 0000 0018 0000 0007
\0 \0 \0 \0 . 317 275 220 \0 \0 \0 030 \0 \0 \0 007
0000060 48c8 f15f 000e 08de 4431 7035 0009 83bb
H 310 361 _ \0 016 \b 336 D 1 p 5 \0 \t 203 273
0000100 4431 7035 0009 8400 0000 0000 0323 8710
D 1 p 5 \0 \t 204 \0 \0 \0 \0 \0 003 # 207 020
0000120 0000 0018 0000 0007 48c8 f15d 0008 20ac
\0 \0 \0 030 \0 \0 \0 007 H 310 361 ] \0 \b 254
0000140 44a3 1f8a 0000 0000 48b9 bc4d 0006 5151
D 243 037 212 \0 \0 \0 \0 H 271 274 M \0 006 Q Q
0000160 0000 0000 2ecf be10 0000 0018 0000 0007
\0 \0 \0 \0 . 317 276 020 \0 \0 \0 030 \0 \0 \0 007
0000200 48c8 f15f 000e 08fe 4431 7035 0009 9b3d
H 310 361 _ \0 016 \b 376 D 1 p 5 \0 \t 233 =
0000220 4431 7035 0009 9b7e 0000 0000 2ecf be90
D 1 p 5 \0 \t 233 ~ \0 \0 \0 \0 . 317 276 220
0000240 0000 0018 0000 0007 48c8 f15f 000e 0931
\0 \0 \0 030 \0 \0 \0 007 H 310 361 _ \0 016 \t 1
0000260 4431 7035 0009 b2bf 4431 7035 0009 b303
D 1 p 5 \0 \t 262 277 D 1 p 5 \0 \t 263 003
0000300 0000 0000 2ecf bf10 0000 0018 0000 0007
\0 \0 \0 \0 . 317 277 020 \0 \0 \0 030 \0 \0 \0 007
0000320 48c8 f15f 000e 0955 4431 7035 0009 ca6c
H 310 361 _ \0 016 \t U D 1 p 5 \0 \t 312 l
0000340 4431 7035 0009 cab0 0000 0000 2ecf bf90
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks a lot
as for sudo, you may want to remove the ability to sudo su -. edit the sudoers flle and remove capability for users to run the su - command. If they need to the ability to run su to get to another account, explicity allow those accounts.
ASKER