Re: Root access loggin
On Mon, 2007-07-30 at 08:11 -0500, Eric Crist wrote: > On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: > > > Tom Evans wrote: > >> This seems great in principle, but of course, you just gave them a > >> root > >> shell, and so they can delete their log file easily enough... > > > > You could have cron email it to you every 5 minutes. Unlikely he'd > > check the crontab immediately, unless he was really bent on the > > system's destruction. Likely you'd have at least some evidence of > > his behaviour. Of course your email box would fill up quickly. > > > > Adam J Richardson > > > > Tom, > > If you're really all that worried about this, don't give them root > access. You could simply sit at the console with them while they > work. IIRC, they're a contractor, not an employee. Your presence > during such operations wouldn't be abnormal for a contractor. > > HTH > > Eric Crist I'm not at all worried; the OP was. I was merely pointing out that most auditing solutions have issues that can be worked around by a malicious user; sometimes you just have to trust someone. signature.asc Description: This is a digitally signed message part
Re: Root access loggin
On Mon, 30 Jul 2007 15:11:06 +0200, Eric Crist <[EMAIL PROTECTED]> wrote: On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson Tom, If you're really all that worried about this, don't give them root access. You could simply sit at the console with them while they work. IIRC, they're a contractor, not an employee. Your presence during such operations wouldn't be abnormal for a contractor. I don't have the original post of this, so I don't know the details, but this sounds like a good project for remote audit logging. Or is that only in FreeBSD 7? Or use accounting: accton(8). Is it possible to setup an accounting file as an named pipe, to log to a remote host? Ronald. -- Ronald Klop Amsterdam, The Netherlands ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson Tom, If you're really all that worried about this, don't give them root access. You could simply sit at the console with them while they work. IIRC, they're a contractor, not an employee. Your presence during such operations wouldn't be abnormal for a contractor. HTH Eric Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
On Tue, 2007-07-24 at 13:18 -0400, Ian Lord wrote: > Hi, > > > > A Zend technician asked me to have a root access on one of my box to > troubleshoot something wrong in Zend Platform installation that doesn't work > on Freebsd. > > > > He will need root access naturally to install and debug remotely. > > > > Is there a way to log all the commands he will type and send them in a > logfile ? > > > > Or is there a better solution than granting him root access from ssh ? > > > > Thanks > > sudosh (sudo shell) is an idea here. It gives them a root shell they can do anything in, but everything is logged. It can even play back the logs at any speed up you like (I like to watch.) This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... signature.asc Description: This is a digitally signed message part
Re: Root access loggin
> Exactly, I don't know what needs to be done, and they don't > neither. That's why they need to browse around trying to > figure out why their installer doesn't work. > > Sudo wouldn't be any help here cause I would need to pre > approve commands and I don't know which one will be needed. > > Basically, I don't there there is a better solution then > giving away the root password, but at least, I would like a > log of what has been done. > > Naturally, I understand any log could be overwritten/modified > since the person is root, but since I don't think Zend would > make fun in hacking my server, the point in having the log is > to undo anything I wouldn't approve .. > You may want to have a look at shells/tcsh-bofh - it installs a patched tcsh shell in /usr/local/bin which logs all commands to the USER syslog facility . Set both their user and root's shell to that tcsh (or copy over the system tcsh) and you'll have a log of all their commands, provided they don't run another shell, something you'll just have to instruct them on. Tell them you'll consider it trespassing if they use another shell. As far as protecting logs, securelevels will offer some degree of protection. If you set syslog to log user.* to a seperate file, and then set the sappnd and sunlnk flags, then the file can only be appended to. If you then raise your securelevel to 1, these flags can not be removed. If you're being that paranoid, you'll want to set flags on syslog.conf as well, so the facility can't be changed. I haven't actually tried any of the above, so your mileage will definitely vary. -fr. -- Feargal Reilly, Chief Techie, FBI. PGP Key: 0xBD252C01 (expires: 2006-11-30) Web: http://www.fbi.ie/ | Tel: +353.14988588 | Fax: +353.14988489 Communications House, 11 Sallymount Avenue, Ranelagh, Dublin 6. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
--On Tuesday, July 24, 2007 23:00:47 +0100 Vince Hoffman-Kazlauskas <[EMAIL PROTECTED]> wrote: \ \ Paul Schmehl wrote: --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. The problem here is that the first command I type in this situation if i need to run multiple commands as root it sudo su - after that nothing is logged. I agree with Lowell that watch(8) is probably the way to go. Well sure, but then you have a log entry where the vendor's tech clearly tried to circumvent your restrictions. That's cause for immediate revocation of access and escalation of the issue to the vendor. (Not that you shouldn't use watch!) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: Root access loggin
I accidentally sent my response directly to the OP, rather than to the list. If he feels it's worthwhile to do so, I guess he can post it to the list. In short, I just pointed out that setting up a logging server that collects log events "invisibly" might be a good idea in a circumstance like this. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Marvin Minsky: "It's just incredible that a trillion-synapse computer could actually spend Saturday afternoon watching a football game." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
\ \ Paul Schmehl wrote: --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. The problem here is that the first command I type in this situation if i need to run multiple commands as root it sudo su - after that nothing is logged. I agree with Lowell that watch(8) is probably the way to go. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Root access loggin
--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
RE: Root access loggin
-Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. Basically, I don't there there is a better solution then giving away the root password, but at least, I would like a log of what has been done. Naturally, I understand any log could be overwritten/modified since the person is root, but since I don't think Zend would make fun in hacking my server, the point in having the log is to undo anything I wouldn't approve .. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. On 7/24/07, Tom Grove <[EMAIL PROTECTED]> wrote: Lowell Gilbert wrote: > Tom Grove <[EMAIL PROTECTED]> writes: > > >> You could even go so far as to limit what he can use sudo on. >> >> $>man sudo >> >> Giving him full root access is probably not a good idea. >> > > In practice, this approach *is* effectively giving him full root > access. Once you have to give the tech the ability to edit root-owned > files, you have to trust his honesty. Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access. > There are some important > advantages to doing it through sudo, though: one is that it makes it > easy for the user to keep track of just the root-privileged commands, > and another is that it's easier for the user to avoid shooting himself > in the foot. > Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together. > To watch everything done by the remote-connected tech, the most > complete approach is probably watch(8), which is a much simpler way of > getting everything typed on a particular tty. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Lowell Gilbert wrote: Tom Grove <[EMAIL PROTECTED]> writes: You could even go so far as to limit what he can use sudo on. $>man sudo Giving him full root access is probably not a good idea. In practice, this approach *is* effectively giving him full root access. Once you have to give the tech the ability to edit root-owned files, you have to trust his honesty. Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access. There are some important advantages to doing it through sudo, though: one is that it makes it easy for the user to keep track of just the root-privileged commands, and another is that it's easier for the user to avoid shooting himself in the foot. Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together. To watch everything done by the remote-connected tech, the most complete approach is probably watch(8), which is a much simpler way of getting everything typed on a particular tty. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Tom Grove <[EMAIL PROTECTED]> writes: > You could even go so far as to limit what he can use sudo on. > > $>man sudo > > Giving him full root access is probably not a good idea. In practice, this approach *is* effectively giving him full root access. Once you have to give the tech the ability to edit root-owned files, you have to trust his honesty. There are some important advantages to doing it through sudo, though: one is that it makes it easy for the user to keep track of just the root-privileged commands, and another is that it's easier for the user to avoid shooting himself in the foot. To watch everything done by the remote-connected tech, the most complete approach is probably watch(8), which is a much simpler way of getting everything typed on a particular tty. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
You can patch bash to log commands to syslog/remote/etc: http://64.233.169.104/search?q=cache:y0SGTs8EoTYJ:www.linux.it/~carlo/somehacks/bup/bash-2.05b-syslog_udp01.patch+bash+perassi&hl=en&gl=us&strip=1 I set this up on a few machines and it's not too hard. You can also run a cron job to see when/who is logged in (w + netstat, for instance) and then send an email/text message, so he can't login and get rid of the logger without you knowing it. Or for the more elaborate setup: http://www.honeynet.org/tools/sebek On 7/24/07, Ian Lord <[EMAIL PROTECTED]> wrote: Hi, A Zend technician asked me to have a root access on one of my box to troubleshoot something wrong in Zend Platform installation that doesn't work on Freebsd. He will need root access naturally to install and debug remotely. Is there a way to log all the commands he will type and send them in a logfile ? Or is there a better solution than granting him root access from ssh ? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Ian Lord wrote: Hi, A Zend technician asked me to have a root access on one of my box to troubleshoot something wrong in Zend Platform installation that doesn't work on Freebsd. He will need root access naturally to install and debug remotely. Is there a way to log all the commands he will type and send them in a logfile ? Or is there a better solution than granting him root access from ssh ? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" You could use sudo. Setup an account for him and give him sudo rights so that each time he would need root access to something he could use the command: $>sudo You could even go so far as to limit what he can use sudo on. $>man sudo Giving him full root access is probably not a good idea. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"