CentOS - Aug 2012 - How protect bash history file, do audit alike in server

hello,

    I want to protect the history file from deleted for all users except 
user 'root' can do it, is that possible?
    For my server, many users can log in with root from remote through 
ssh, so I can not trace which guy do wrong things. So I decide to create 
new account for every users and let them use 'sudo' then I can trace 
which guy typed which command and what he did. However, even if I create 
new account for every user, they also can delete the history of them 
self easily.

    How should I do. I believe everyone encountered such things 
normally. I think there is a gracefully solution for it as I am not 
experience on server manage. So any suggestions for how to trace user 
like to write down which user did as an audit trail and let it can not 
deletable exclude root user?

  Thanks!

-- 
Best Regards,
Su Heng

Use remote logging to a second machine which only you have access to.

http://www.linuxjournal.com/content/creating-centralized-syslog-server

Harold

8/8/2012 12:56 PM, Heng Su wrote:
> hello,
>
>      I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
>      For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can
trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
>      How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
>
>    Thanks!
>

Greetings,

On Wed, Aug 8, 2012 at 10:26 PM, Heng Su <ste.suheng at gmail.com>
wrote:
> hello,
>     For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can
trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
>     How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
Perhaps you can look at inotify, put the .bash_history on its
watchlist and then rsync the changes to a remote host.

Haven't tried it though.

HTH
-- 
Regards,

Rajagopal

Heng Su wrote:
> hello,
>
>     I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
>     For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can
trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
>     How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
So, you've got someone inside, who's doing nasty, or stupid, things?

The most obnoxious, stupid idea I've had to deal with was a few years ago,
when the company I was subcontracting for put something in the .profile to
log every. single. command. a developer issued....

However, since you've set up sudo for them, their commands should *also*
be in /var/log/secure. Of course, what you need is a script to grab that,
and attach to it which user had sudo'd.

Hmmm, as I type that, I just got to thinking: do they need all root
privileges, or do specific users only need certain commands? If so, it's
easy enough to limit what commands they're allowed to run under sudo - man
sudoers.

        mark

On Wed, Aug 8, 2012 at 11:56 AM, Heng Su <ste.suheng at gmail.com>
wrote:
>
>     I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
>     For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can
trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
>     How should I do. I believe everyone encountered such things
> normally.
No, it is not a common situation.  Normally you should not let anyone
you don't trust become root.  For fairly obvious reasons...
> I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
First, why do so many users need the root password?   If they are
developers testing things, give them their own VM to break.  If they
are doing a few routine things, make them log in as themselves and use
restricted sudo commands (i.e. don't permit 'sudo su -'.  In any
case,
backups are your friend.  Keep copies of anything you might need
updated with frequent rsync's from a different, more restricted
machine - including the log files you might want to track.

-- 
  Les Mikesell
     lesmikesell at gmail.com

Use sudo.

On Wed, Aug 8, 2012 at 12:56 PM, Heng Su <ste.suheng at gmail.com>
wrote:
>     I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
>     For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can
trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>
>     How should I do. I believe everyone encountered such things
> normally. I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?
>
>   Thanks!
> Su Heng

Capturing history files is error-prone and a very bad way to approach
this problem.  You should instead look into using process accounting,
provided by the psacct package.  You can read about it here:
http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html


? Brian Mathis

Hi Harald,

   Thank you so much to guide to correct path and let me know how to 
move on, learn more from you.
Indeed I am a developer not an admin, that's a good question for the 
headers of my company why there is no admin to manage the server in our 
company. Anyway this can not controlled by me, I am a developer leader 
just want to make sure my team member do correct things in server.
   I really like linux especially CentOS, I want learn more from you. 
Thank you again.

Best Regards.

On 08/09/2012 03:14 AM, Reindl Harald wrote:
>
> Am 08.08.2012 21:07, schrieb Heng Su:
>> OK, assuming there is an jboss application server  running under user
>> 'jboss' in PRD server, and we have 4 developers want to update
the jar
>> file in that server.
> look in the manuals for sftp / chroot and bind-mounts
>
>> they always login use same user 'jboss' to do updating file in
server,
>> how can I tell which guy doing what things cause the server down as
they
>> use same user account 'jboss'?
> WHY do they user the same acount?
>
>> So I don't know how should I do as I am a shoddy server admin, so I
use
>> root to maintain the application server. then create 4 account in
server
>> for individual developer. So if they want copy, move or other
operations
>> on those deploy folder or files. Let them use sudo. Now I got all
>> commands they did in /var/log/secure
> a DEVELOPER has not to get sudo or even any shell to update
> any files - never, really never
>
> they have only to update files and if needed get WEB-APLICATIONS
> with cron-jobs behind to call CAREFUL DEFINED specific commands
>
> if you give different people sudo/root permeissions because
> you are missing the knowledge how to maintain a server
> in a secure way you are the wrong person with the wrong job
>
> how comes taht you ignore all teh security-news at least of the
> recent two years? how comes that there is nobody in your comanpy
> with the knowledge a admin needs?
>

-- 
Best Regards,
Su Heng