Solved

Linux user permissions

Posted on 2013-11-27
4
729 Views
Last Modified: 2013-12-31
Is it possible to track this scenario?

I have a user account user1 which has direct root login disabled.

user2 and user3 are able to switch as user1 after ssh to the server.

suppose If user2 and user3 switched as user1 simultaneously and user2 removes a file from the server.

How I can track this event and determine which user has removed the file? Is linux auditing will be able to track this?

Is there any scp tools available so that I can login as user2 or 3 and switch as user1?
0
Comment
Question by:vipinvgopal
4 Comments
 
LVL 12

Assisted Solution

by:Chris Staunton
Chris Staunton earned 250 total points
Comment Utility
You could turn on shell logging and just monitor the logs that way.  If the user is using bash for instance you could modify the .bashrc with something like:

[[ ! -d $HOME/.hist ]] && mkdir -p $HOME/.hist
export HISTSIZE=2000
export HISTFILE=$HOME/.hist/`date +%Y%m%d.%H%M`.`who -m | awk '{print $1 "." $2}' | sed 's/\///g'`.$$

Then you can review the dated files in the .hist folder

If you are looking for a more robust solution that you could use for SOX auditing for example.  Check out Centrify for corporate environments.  Their auditing features are pretty impressive.
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 250 total points
Comment Utility
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
You may give a try with pam_tty_audit module if you want to keep a track of all commands they use, Please refer man pam_tty_audit for more details. You can enable this module only for a particular user, then track the commands executed by that user. The logs goes to /var/log/audit/audit.log, it might not be a good option if you want to monitor the account frequently, (Since all are executed using the same account, you have to find the "su" entry first and track the commands executed from that terminal). Also this expects all users use "su - <username>", if they login directly there is no way to track.

Another method would be using sudo, with sudo you get each and every commands logged into /var/log/secure file, so it's easy to track user activities. Make sure the users wont be able to do "# sudo su - <user>" or "# sudo -i ". (also they should not be logging in to the shared account directly.. ie; the shared account password should not be distributed, or restrict direct login using pam configurations).
0
 
LVL 15

Expert Comment

by:Insoftservice
Comment Utility
Just ad-don to the above comments.
Do the file belongs to server or its some from your specific folders .
If its in a specific folder or path you can use cvs
You are expecting to keep monitoring of your files which can be easily done by a subversion tools like tortoise or svn
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now