Hi,
I have several engineers logging into servers with the same system username and passwords eg root. I was thinking about adding a script to bashrc where a user is forced upon login to enter their name and once that has executed there history is logged/redirected to a log file somewhere. I have googled the hell out of it, but running into problems trying to activate the history only for that users session.
Actually I don't know best approach for this any guidance welcomed.
Disallow direct root login and force users to login with their userid and su or sudo -i to root.
This is true I can disable root no problem but that is not the issue. I may have 5-10 engineers acessing a system under 3 usernames /day. Its impossible to create usernames for them all (30-40/ month). I just need a way to force them to log their name abd redirect their commands to a file.
We call this: login with user name and su and sudo.
Works for 100s of users per server at many thousands of companies.
If someone signs in as root then they could fiddle the local logs in any case unless you write them to a remote syslog collector that the engineers do not have access to.
You have no audit on who is using your system. Using sudo really is the way to go as a starter, but don't grant them access to switch user to root. Work out what they need to do, then grant them the privileges to do that and nothing else.
Do not let them run anything as root that you can escape to a shell with, e.g. ftp, vi or even bash as then they have full access again.
It pays to be paranoid about the root account. Protect it else you as the owner will get the blame for everything and anyone could make a costly or fatal mistake on your server. They may complain that they can't do their job, but that's where you have to negotiate and get them the privileges they need and nothing more.
Robin
If you give them root, you have lost all control.
Perhaps a script to create users would help.
If you want multiple users to use the same account, but also have logs to see which IPexecuted each command is possible.
You need to add some entries in bashrc and in addition to add some extra scripts under home directory, the final result will be like:
pts_0 [2011-10-26 16:29:04] sudo apt-get install putty
pts_0 [2011-10-26 16:29:04] ls -ltrh
pts_1 [2011-10-26 16:29:04] ssh tom_cat01
pts_3 [2011-10-26 16:29:04] cd /tmp
pts_1 [10-26-2011_17:05:39] shutdown -r now
Using last command in addition you can find also which IP was pts_1 at 10-26-2011_17:05:39 and rebooted the node.
Let me know if you need something like this. I can send you the scripts to give a try.
But if multiple people are logging in as root it is trivial for them to destroy this system, too.
Totally agree,but this can be done for every user,not only root.
Generally i think is usefull to have it specially in environments where many users uses the same account to login to the server, i know is not safe, but happened a lot, specially in test systems.
In a Financial Services company, we would be taken to court if we cannot prove who did what where. Basically, that translates that everyone must use a personal normal account. We have groups that can perform security actions and these are highly monitored and anyone requiring root access has a sudo rule for the particular command and logs are generated and monitored by a separate team for auditing.
Huge overhead, but very necessary when the values of money in question are huge and the requirements of Data Protection are high to protect customers. There's no easy way around it, but if you give root access too easily, then someone can remove any restrictions and cover their tracks very easily.
Imagine someone adding a service that they could use as a back-door where the normal protections cease to apply, or setting up at or cron jobs to perform actions that they won't be traced to.
Keep root to (at most) three people in a single team, and then only in an emergency. Have root login restricted to the console only and limit who can access the console.
Like Corona688 says, if you give out root, you've lost all control and therefore the integrity of your server.
Robin
Well, sorry to inform you but you are wrong.
I have worked in many test, development and production environments in both big and small companies.
Never, one time, did any company permit a single login for multiple users. Never.
It is a violation of most company policies to do this and any company or system admin who would permit this is in the wrong job; as it is a basic, very basic, duty of a system admin to insure that there is one login per person, and an audit trait for each user; especially if the users have superuser privileges.
If a sys admin worked for me that insisted on a single login for multiple users, I would simply fire them immediately.
I'm going to close this thread, because we have already advised the OP on what he should do and why he should do it; and it's best we set an example of what are "best practices" and "acceptable practices" versus supporting bad ideas which are against policy at most companies.