Tracking Use of Shared Accounts

[zeromemory]

I need to share access to the root account. Is there any way I can track what each individual user does as root? That is, is there a way to associate each command run as root with a distinct ID (IP, normal account login, etc) corresponding to who invoked the command?

[Lajasha]

By default I belive /var/messages logs logins and what IP it was from.

I do know that if you use sudo it also logs the command that was used with it.

IMHO sudo might be a better way to go.
_________________
Come and play in my land

[zeromemory]

The problem with using sudo is that its very easy for a user to gain a root shell with it (sudo su -). I know that you can restrict users from launching su or shells with sudo, but, as long as they can edit the sudo configuration file or install a new shell, they'll be able to circumvent sudo logging.

If nothing else, sudo would be a pain to use; you'd have to prefix every command with sudo.

[Lajasha]

[zeromemory]

Correct, I want to share access to the root account; I want some users to have root-level access. However, I also want to be able to track what each user does as root. That way, if anyone blows up the system, I'll know who is responsible.

[Sir_Chancealot]

[zeromemory]

Unfortunately, you don't understand the situation. I am purchasing a colocated server; root access will be shared among the people fronting the cost of the server.

Have you heard about remote logging? I think it would be hard for the users to modify the logs if they didn't have access to the server where the logs were going.

[klieber]

You want to give root level access to multiple people and you want to track what they do with it. That is exactly what sudo does.

If you don't trust people not to abuse sudo to obtain a root shell that would bypass logging, then why the hell are you giving them root access on your server in the first place? Never mind the fact that anyone with root level access can erase any trails they want from any logs you do keep.

--kurt
_________________
The problem with political jokes is that they get elected

[Sir_Chancealot]

[zeromemory]

The remote logging server is located at the same colocation facility. In other words, I can have the local logging daemon update the log files in real-time. In any case, plain-text traffic is pretty non-intensive.

Again, you don't understand the situation. These people that will be sharing root access own the system. They fully deserve the right to have root access to it.

Furthermore, is there not a way for Linux to accomplish this security measure? I remember OpenVMS having the ability to do dual password account logins.

[zeromemory]

No ideas?

[easykill]

you could just make different users with UID=0

then ~username/.bash_history will have their command history

I believe that should work.

[zeromemory]

I think that'll work...

However, do you think it would be safe to delete the normal "root" account after creating a "root-<normal_login>" account with UID=0 for each of the users that will share root?

[easykill]

I see no reason to do that.

I wouldn't find out if I were you. Might screw up something.

[zeromemory]

Well, if I gave each user access to root via their own personalized "root" account, there would be no use for the normal root account. In addition, by removing the normal root account, I would force users to use their personalized "root" account.

[easykill]

You can do that anyways for the most part.

Just make the password something they don't know

And honestly, some things may rely on there existing a root account. I wouldn't want to find that out the hard way.

One thing here: If you are worried about users purposely screwing things up as root, this won't help a bit. Besides the fact that they are root and can do anything, they can su to a different root user and do the actions as that user, so you won't really know for sure who did it.

This whole thing sounds kinda like a bad idea. There's no real good way to do it.

[smart]

I guess it won't work at all as expected. The system will probably not care at all about your different names. The users are number 0 and whenever the system wants to turn that back into a name, it will probably just pick the first in /etc/passwd that comprises account 0.
You should switch to a different security scheme. There are different tools available for that, the most directly available is the NSA one called SELinux. I cannot right away tell the specifics of it and if it does exactly what you are asking for, but you are asking for something along the lines of that and within that realm, there will be your choice. RBAC might also be a buzzword to lookout for. In the end, you wont give em root, but you'll give em rootlike capabilities which is much more clean to start with.
Or well, maybe not. Do you seek kind of a | tee of every input to the serial port or such ?

[zeromemory]

As I said in my first post, I'm just looking for a way to match up each command executed as root with a unique identifier (IP address, normal user account, etc). This information could be forwarded in real-time to a secured box.

Ok, how about this. Is there an easy way to create a log that would be in this format: 'command executed - time - ip address'? Think of it as a more informative command-line history.

[bone]

Another option that I think might be useful to you is the following. I have seen implementations of the BASH shell package with loggin. IE. they are set to log any command executed by a user. This of course could be bypassed by using a different shell (same way to bypass .bash_history). Also, remember seeing a kernel module a year or so ago that logged all Kernel EXEC calls. This would be a better option but I have not heard anything about this since then.