Solved

Linux user permissions

Posted on 2013-11-27
4
749 Views
Last Modified: 2013-12-31
Is it possible to track this scenario?

I have a user account user1 which has direct root login disabled.

user2 and user3 are able to switch as user1 after ssh to the server.

suppose If user2 and user3 switched as user1 simultaneously and user2 removes a file from the server.

How I can track this event and determine which user has removed the file? Is linux auditing will be able to track this?

Is there any scp tools available so that I can login as user2 or 3 and switch as user1?
0
Comment
Question by:vipinvgopal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 12

Assisted Solution

by:Chris Staunton
Chris Staunton earned 250 total points
ID: 39680417
You could turn on shell logging and just monitor the logs that way.  If the user is using bash for instance you could modify the .bashrc with something like:

[[ ! -d $HOME/.hist ]] && mkdir -p $HOME/.hist
export HISTSIZE=2000
export HISTFILE=$HOME/.hist/`date +%Y%m%d.%H%M`.`who -m | awk '{print $1 "." $2}' | sed 's/\///g'`.$$

Then you can review the dated files in the .hist folder

If you are looking for a more robust solution that you could use for SOX auditing for example.  Check out Centrify for corporate environments.  Their auditing features are pretty impressive.
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 250 total points
ID: 39680424
0
 
LVL 25

Expert Comment

by:madunix
ID: 39682730
You may give a try with pam_tty_audit module if you want to keep a track of all commands they use, Please refer man pam_tty_audit for more details. You can enable this module only for a particular user, then track the commands executed by that user. The logs goes to /var/log/audit/audit.log, it might not be a good option if you want to monitor the account frequently, (Since all are executed using the same account, you have to find the "su" entry first and track the commands executed from that terminal). Also this expects all users use "su - <username>", if they login directly there is no way to track.

Another method would be using sudo, with sudo you get each and every commands logged into /var/log/secure file, so it's easy to track user activities. Make sure the users wont be able to do "# sudo su - <user>" or "# sudo -i ". (also they should not be logging in to the shared account directly.. ie; the shared account password should not be distributed, or restrict direct login using pam configurations).
0
 
LVL 15

Expert Comment

by:Insoftservice
ID: 39686740
Just ad-don to the above comments.
Do the file belongs to server or its some from your specific folders .
If its in a specific folder or path you can use cvs
You are expecting to keep monitoring of your files which can be easily done by a subversion tools like tortoise or svn
0

Featured Post

Stack Overflow Podcast - Frustrating Miracles

In this podcast, Stack Overflow interviewed Linux Academy CEO/Founder, Anthony James, and got his developer story!

"Follow your passion, be prepared to work hard and sacrifice, and, above all, don't let anyone limit your dreams."  - Donovan Bailey

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question