I hope this is the correct forum - apologies to all if I am mistaken.
We are fairly sure someone has got access to the root password on one of our machines and is 'playing silly b*****rs' with it.
Due to local politics we can't easily get the password changed and we need to gather some info to get things changed.
Does anyone know if it is possible to track/trace/log the use of su (or any other command for that matter though su is the one we are most interested in)
We are using Linux - uname -a output below
Linux <hostname> 2.4.9-e.57enterprise #1 SMP Thu Dec 2 20:45:51 EST 2004 i686 unknown
ajcannon,
If someone got root once on your linux system then you're in trouble! Chance are he/she will be able to wipe out any suspicous activity such as root su/login etc...
But If the user is pretty dumb You can always alias the su command to log some info, something like
alias su='TOTO=`tty | sed -e 's,^/dev/,,'`; who -u |grep $TOTO>> /tmp/su.log; /bin/su'
Stuff the politics, there are bigger concerns than people's ego's.
It's a security issue.
Just change the root password.
Not sure if it's the case with all unix/linux systems, but on HP-UX you can restrict who can su to root (I called the group 'rooters') . If you're not in that group, then no can do.
To Porter:
I appreciate your somewhat acerbic remarks about
"Then you either don't comprehend the seriousness or don't care about security.
If you had a bull rampaging in your china shop would you be trying to find the farmer or trying to protect your merchendise?"
Comprehending the seriousness is not an issue - I am well aware of it. The situation is simply that I cannot get *anything* done without being able to produce evidence of malpractice. I work for a *very* big outfit where money - not sense - counts; I am sure we have all seen similar.
I have *no* control over the server admin and even if I could get the root password changed I have reason to believe that the villain is in 'cahoots' with system support and would simply get the relevent info and carry on as before.
I need to find a 'smoking gun'
Thanks to all for your input - any other suggestions will be most appreciated - EG is there a way of putting a 'watch' on a file to log access/edit etc etc
Finding the smoking gun is hard after "you've been compromised", but im sure you've heard of this nice project project ... take a look there, install them then sit back and watch
Well TBH, i've never used them before but i sense you need to monitor user'session to find out who's doing what, one particular tool might be useful for you read carefully here Ryan Barnett - GCFA Practical
Our sys admins have a log which watches which users su to root. They also do not allow direct log on as root making the log more effective. I'll see what I can find out.
Your last post: Fair point - we have raised the issue but the problem is that it is not something that management understand/care about. It isn't stopping them reporting that they have done their bit to *their* managers. It means that we are putting code into production that may well not be the code which passed test. As long as it works they don't care.
You can always alias the su command to log some info, something like