I've firewall machine customers connect on it then connect to one of another 3 machines as root through ssh key , is there any way to know which user connect to which machine and what command that he has executed without using script command ?
I want to get a of log all the commands executed by the root user with the following details :
incoming ip username (thru which su was executed) time and date all the commands executed as mentioned above.
Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?
i have a linux server, the Operating system is SUZE 9 but i need to see all commands executed by any users connected on the server and the ip of the host in a log file.the history file does not contain all info that i need .please is there a way to write a script in order to save this problem .
i am working with linux security auditing project on my Servers.I want to find out all the commands executed by individual users.i think using last command,find out the login details.But how can find out the commands executed by each users on all logins except "history".?
I've setup dimdim (opensource, centos 5.3) and noticed yum & rpm commands fail when executed as root because it uses librpmio from openoffice3 instead of /usr/lib (I'm running from memory so I may have misstyped). But sudo doesn't have this problem.
How can root's search path be different, especially after I state /usr & /usr/lib at the top of /etc/ld.so.conf.
I am working on Ubuntu 9.10.Since last two days there is issue while working with Terminal.Whenever I type a command and press enter it doesnt do anything. command is not executed. I guess its in loop. when I press Ctrl+C then it comes out of loop. this happens with all commands and I am not sure what is the problem.I have reinstalled Terminal but it did not worked.
I'm running Ubuntu 10.04.2 LTS, but wanted to use Banshee instead of Rhythmbox. After running Code: sudo aptitude install banshee I wanted to bind my "Media" button on my keyboard to run banshee; unfortunately, it still wants to run rhythmbox. Where can I change the default command executed by these keyboard shortcuts? I can't seem to find them in gconf-editor under apps/metacity/* and googling has proved fruitless in finding where this configuration file is located.
$ execute_some_long_command <command is executing> <Accidently press middle button that inserts bunch of garbage (including, for example, `rm -Rf ~/*`) into console>
How to let execute_some_long_command finish, but not execute inserted things?
Inspite of having 755 permissions on the chown command, it seems the command can be executed by the root only. I was under the impression that the 'x' permission for 'others' can give executable rights to the normal user too, which does not seem to be the case here. Just curious to know, if not the file perms itself, what controls the execution of the command?
I use KeePass2 to access username/password information in a Dropbox file. This allows convenient access from multiple devices. I can't seem to copy a password to the clipboard on my Linux 2.6.27.41-170.2.117.fc10.x86_64 system, however, in order to supply the password to a prompt in an xterm(1). I've tried both Ctrl+C/Ctrl+V and highlighting and mouse button 2 clicking. The KeePass2 program on the Linux system is executed by Mono.
How do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS?/var/log/messages I see their hostname but no IP address
I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems.
Right now I'm going to search for log events that include the following:
Any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers?
have around 20-30 HP and Dell Hardware where we have attached Pen Drive. There is no Rack-lock facility. A misuse of Pen Drive is reported and it happens every alternative day that someone unplug and theft the drive attached.There is no camera facility to monitor.I have a plan to write a script which will login to every machine through ILO and watch the USB availability. In case anyone dettach the USB, a mail will be sent to the administrator and thereby the steps could be taken.Does this idea look feasible.
I am currently running a 64-bit Fedora 14 server which hosts a game server, a voice server, and remote desktop functionality, each on a distinct TCP port. I am currently using the built-in firewall to deny all traffic other than ICMP ping/pong and TCP traffic on those specific ports.I am looking for a graphical application which will let me monitor any connections being made to my server in order to keep an eye out for possible security concerns. To be more specific, I'd like to be able to see the source IP addresses, TCP/UDP ports, and individual bandwidth in use by external connections being made to the server, along with any other information that might be helpful in identifying a possible intrusion attempt.
Is there a program that monitors and displays 'who' is on your wireless Internet signal that one may not be aware of? Like, the ability to see when someone that you don't know is accessing your locked wireless?
At our company we have a central server with client files. This server has a SSH server installed, and through Nautilus all employees can access the files. However, I have a few questions:
1. Most employees need access to all folders, because they might use them at some point in time. However, I want to make sure they are not accessing things they do not need. How can I do this? For instance, if somebody copies all of the folders to his/her computer, I want to be able to see this in some sort of log. Can this be done? Copying and accessing in general is what is of my concern.
2. Some employees only need access to specific folders. Can this be easily configured with SFTP?
3. Some also use SSH and type commands which I want to check every now and then (e.g. to make sure an intern is not again copying information or accessing folders they should not be in). What is a good way to do this?
I was reading a magazine article today which was a discussion of internet detective work for tracking down ip addresses which attempt an ssh login to your machine. I have never really paid much attention to network security since I only run a small home network. I have WPA encryption and a firewall on my router. But while reading this article, I remembered that I myself has seen log files in the past that inidicated someone somewhere had attempted to log into my machine (attempts all failed). This had happened a few times, but I never really considered it a threat.
But, the more I read about home computers becoming "zombies" for criminals, I guess I am getting a little paranoid in my old age, particularly since my wife does quite a bit of business on the net with credit cards. I have four computers connected to the net and each other on this network, and would like to be able to easily detect attempted log ins and deal with them quickly.
So my reason for posting is to ask if someone could recommend a novice-friendly application for monitoring traffic to check this intermittently. I have read bodhi.zazen's excellent tutorial on snort, but I it appears to be written for large lan's or web servers and is over-kill for a small home network.
I am striving to setup OSSEC to monitor some specific files for realtime changes! Is this possible? I can't really find a lot of info from their Documentation
Some Examples: /etc/myfile.txt is deleted. I need this to be reported. /etc/myfile.txt is created again so I need this to be reported again!
This has to happen instantly though, because the file might be deleted and created again many times in a short period of time.. Another one... /etc/passwd is touched (accessed) even if there is no changes! Can this be reported as well?
I want to restrict some of my Operating System users running unwanted commands. I just want them to run specified commands only. How can i achieve this?
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that also the process must be silent (no password asked).
How can I do this without adding a user in sudoers and without giving rights to all users to execute the commands from that bash file?
I have tried SUID option witch would had been good as functionality but I understand that SUID doesn't work for script bash files.
is there a way to monitor use of rm, cp and mv commands? (other than in history)... i would prefer if it were logged in /var/log directory with time and command (with its arguments).
I read somewhere that 'sync' and 'who' commands in linux should be disabled. While i can understand that for the 'who' command, why so for 'sync'?
I can find sync and who as one of shell commands, whereas also in /bin/sync and /usr/bin/who. Are the shell commands and those in bin directory meant to serve the same purpose?
trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh. Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed. As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash.
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that.
I am trying to set up an automatic backup using rsync and a publickey SSH, which requires using an empty password on the private key. I would like to lock down the key on the server so that it can only run rsync, but my attempts to use a forced command (or any other option such as no-port-forwarding) do not appear to have any effect when I run ssh -v.
I am currently debugging using the following line in ~/.ssh/authorized_keys
Code:
But when I connect, it opens up an interactive command prompt and does not display the "goodbye world" that I expect.