Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Linux user permissions

Posted on 2013-11-27
4
Medium Priority
?
760 Views
Last Modified: 2013-12-31
Is it possible to track this scenario?

I have a user account user1 which has direct root login disabled.

user2 and user3 are able to switch as user1 after ssh to the server.

suppose If user2 and user3 switched as user1 simultaneously and user2 removes a file from the server.

How I can track this event and determine which user has removed the file? Is linux auditing will be able to track this?

Is there any scp tools available so that I can login as user2 or 3 and switch as user1?
0
Comment
Question by:vipinvgopal
4 Comments
 
LVL 12

Assisted Solution

by:Chris Staunton
Chris Staunton earned 750 total points
ID: 39680417
You could turn on shell logging and just monitor the logs that way.  If the user is using bash for instance you could modify the .bashrc with something like:

[[ ! -d $HOME/.hist ]] && mkdir -p $HOME/.hist
export HISTSIZE=2000
export HISTFILE=$HOME/.hist/`date +%Y%m%d.%H%M`.`who -m | awk '{print $1 "." $2}' | sed 's/\///g'`.$$

Then you can review the dated files in the .hist folder

If you are looking for a more robust solution that you could use for SOX auditing for example.  Check out Centrify for corporate environments.  Their auditing features are pretty impressive.
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 750 total points
ID: 39680424
0
 
LVL 25

Expert Comment

by:madunix
ID: 39682730
You may give a try with pam_tty_audit module if you want to keep a track of all commands they use, Please refer man pam_tty_audit for more details. You can enable this module only for a particular user, then track the commands executed by that user. The logs goes to /var/log/audit/audit.log, it might not be a good option if you want to monitor the account frequently, (Since all are executed using the same account, you have to find the "su" entry first and track the commands executed from that terminal). Also this expects all users use "su - <username>", if they login directly there is no way to track.

Another method would be using sudo, with sudo you get each and every commands logged into /var/log/secure file, so it's easy to track user activities. Make sure the users wont be able to do "# sudo su - <user>" or "# sudo -i ". (also they should not be logging in to the shared account directly.. ie; the shared account password should not be distributed, or restrict direct login using pam configurations).
0
 
LVL 15

Expert Comment

by:Insoftservice
ID: 39686740
Just ad-don to the above comments.
Do the file belongs to server or its some from your specific folders .
If its in a specific folder or path you can use cvs
You are expecting to keep monitoring of your files which can be easily done by a subversion tools like tortoise or svn
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month13 days, 7 hours left to enroll

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question