Hello,
Our applications are deployed in SunOS 5.10 servers. All the team members use a same username/pwd to login to the box. Very often we face issue were we could see that weblogic server instance are KILLED and we are not able to trace who executed kill command. All team members use PUTTY to login to server. Please let us know if there is way to track the IP of user who logged into the server and executed this command. Or any other way to track this. Since this has become a routine issue, it will be of great help if some one could respond.
Regards
San
If everyone is sharing the root account, frankly, you're in trouble... I think there's an auditing feature in solaris you can turn on, but any other root user could just as easily turn it back off.
Your ssh daemon may export a variable which tells you what IP a user came from. You could try adding a script in that profile to log that.
You could try a number of tweaks, such as:-
- On login, set the command history file to one based on the connecting IP address
- Collect all commands issued by a tty session and write them to the syslog, including the connecting IP address
- Intercept the kill command with a script that logs the process id and details of the process before calling the real kill command
- Some other variation?
Of course, all of these can bypassed, but they might give you a clue if someone forgets. The best method is to set up separate accounts for each user so that they cannot do this in the first place. You are exposing yourself to untold horrors from mistakes and malicious attack.
Is there a good reason for not having separate user accounts, or is it just 'easy'. Remember that security is like contraception - people may not like it but the cost of mistakes can be enormous.
I hope that the above suggestions may help,
Robin