audit user in BSM/C2 Log

BERNIELEE68 · August 2, 2011, 10:24pm

Hi,

I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).

I suspect this is generated by a scheduled script which runs daily and it was the way the job was set up. How can I check/confirm that?

header,96,2,su,,simux65.ext.com,2011-06-24 23:36:00.598 +08:00,subject,ongkk,root,root,root,root,29685,1110674129,612 65558 10.88.xx.yy,text,success for user oracle,return,success,0

DGPickett · August 3, 2011, 12:21pm

Check the crontab files? Check for user processes running in a loop awaiting the right time for this activity? Check for remote access by ssh or the like? Seems like a case where the effective user was allowed and his id was the not-effective user. Look for set-uid code, too.

BERNIELEE68 · August 3, 2011, 10:41pm

Thanks. Found out from unix admin that some of the 'jobs' are using cfengine (which i'm not familiar with). Other than those you suggested checking - anything else if using cfengine?

DGPickett · August 4, 2011, 5:04pm

Know your enemy: GNU cfengine

http://sunsite.ualberta.ca/Documentation/Gnu/cfengine-1.5.4/html\_node/Reference/cfengine-Reference_88.html

Brown11 · August 11, 2011, 3:26am

I have my own firm for that i want to audit.

DGPickett · August 11, 2011, 5:08pm

How can we help?