how to properly audit generic user accounts

Hi All,

I am trying to figure out a way to properly audit generic application
accounts to tie them to the named user as it has become an audit issue
that I need to implement. To date, a named user will sudo into the
generic user account. if a shell is launched, sudo will log that event,
but nothing beyond that.

Since multiple users may login as the generic applicaiton user account
at once it then becomes difficult to trace back command histories to a
single user.

Outside of making users use sudo on a command by command basis (which
would be a royal pain) I am not sure how to approach the problem.

Anyone have any thoughts on how I might accomplish this without causing
a complete revolt?

Thanks, 

One confuzzled Admin

0
10/5/2006 1:59:09 PM
comp.unix.solaris 25873 articles. 0 followers. Post Follow

7 Replies
1264 Views

Similar Articles

[PageSpeed] 56
"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>I am trying to figure out a way to properly audit generic application
>accounts to tie them to the named user as it has become an audit issue
>that I need to implement. To date, a named user will sudo into the
>generic user account. if a shell is launched, sudo will log that event,
>but nothing beyond that.

Solaris Auditing allows you to attribute all commands to the original
user who logged in, even after sudo.

>Since multiple users may login as the generic applicaiton user account
>at once it then becomes difficult to trace back command histories to a
>single user.

Not if you use Solaris Auditing, unless you allow direct logins to
such accounts (which you should not)

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Casper
10/5/2006 2:48:08 PM
Hi Casper,

Thank You for the head's up! I will check it out. Is this difficult to
implement? Could you refer me to any resorces on solaris auditing?

Cheers, 

One Confuzzled Admin

0
adeviantsubcultureof
10/5/2006 3:16:15 PM
Casper H.S. Dik wrote:
> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>
> >I am trying to figure out a way to properly audit generic application
> >accounts to tie them to the named user as it has become an audit issue
> >that I need to implement. To date, a named user will sudo into the
> >generic user account. if a shell is launched, sudo will log that event,
> >but nothing beyond that.
>
> Solaris Auditing allows you to attribute all commands to the original
> user who logged in, even after sudo.
>
> >Since multiple users may login as the generic applicaiton user account
> >at once it then becomes difficult to trace back command histories to a
> >single user.
>
> Not if you use Solaris Auditing, unless you allow direct logins to
> such accounts (which you should not)
>
> Casper
> --
> Expressed in this posting are my opinions.  They are in no way related
> to opinions held by my employer, Sun Microsystems.
> Statements on Sun products included here are not gospel and may
> be fiction rather than truth.

Hi Casper,

One other thing in a heterogenous environment could you suggest an
alternative for linux servers?

0
adeviantsubcultureof
10/5/2006 3:58:52 PM
"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>Hi Casper,

>Thank You for the head's up! I will check it out. Is this difficult to
>implement? Could you refer me to any resorces on solaris auditing?

No, but it generates a lot of output if you are not careful.

docs.sun.com has a whole section on Solaris auditing.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Casper
10/5/2006 7:09:34 PM
In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
 "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> 
 "wrote:

> Casper H.S. Dik wrote:
> > "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
> >
> > >I am trying to figure out a way to properly audit generic application
> > >accounts to tie them to the named user as it has become an audit issue
> > >that I need to implement. To date, a named user will sudo into the
> > >generic user account. if a shell is launched, sudo will log that event,
> > >but nothing beyond that.
> >
> > Solaris Auditing allows you to attribute all commands to the original
> > user who logged in, even after sudo.
> >
> > >Since multiple users may login as the generic applicaiton user account
> > >at once it then becomes difficult to trace back command histories to a
> > >single user.
> >
> > Not if you use Solaris Auditing, unless you allow direct logins to
> > such accounts (which you should not)
> >
> > Casper
> > --
> > Expressed in this posting are my opinions.  They are in no way related
> > to opinions held by my employer, Sun Microsystems.
> > Statements on Sun products included here are not gospel and may
> > be fiction rather than truth.
> 
> Hi Casper,
> 
> One other thing in a heterogenous environment could you suggest an
> alternative for linux servers?

That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
written into Linux.  Or write your own version.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
10/5/2006 7:20:45 PM
On 2006-10-05 20:20:45 +0100, Michael Vilain <vilain@spamcop.net> said:

> In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
>  "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com>  "wrote:
> 
>> Casper H.S. Dik wrote:
>>> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>>> 
>>>> I am trying to figure out a way to properly audit generic application
>>>> accounts to tie them to the named user as it has become an audit issue
>>>> that I need to implement. To date, a named user will sudo into the
>>>> generic user account. if a shell is launched, sudo will log that event,
>>>> but nothing beyond that.
>>> 
>>> Solaris Auditing allows you to attribute all commands to the original
>>> user who logged in, even after sudo.
>>> 
>>>> Since multiple users may login as the generic applicaiton user account
>>>> at once it then becomes difficult to trace back command histories to a
>>>> single user.
>>> 
>>> Not if you use Solaris Auditing, unless you allow direct logins to
>>> such accounts (which you should not)
>>> 
>>> Casper
>>> --
>>> Expressed in this posting are my opinions.  They are in no way related
>>> to opinions held by my employer, Sun Microsystems.
>>> Statements on Sun products included here are not gospel and may
>>> be fiction rather than truth.
>> 
>> Hi Casper,
>> 
>> One other thing in a heterogenous environment could you suggest an
>> alternative for linux servers?
> 
> That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
> written into Linux.  Or write your own version.

Or upgrade to Solaris and run your legacy Linux stuff in BrandZ zones.

Cheers,

Chris

0
Chris
10/5/2006 8:08:48 PM
adeviantsubcultureof1@gmail.com wrote:

> Hi All,
> 
> I am trying to figure out a way to properly audit generic application
> accounts to tie them to the named user as it has become an audit issue
> that I need to implement. To date, a named user will sudo into the
> generic user account. if a shell is launched, sudo will log that event,
> but nothing beyond that.
> 
> Since multiple users may login as the generic applicaiton user account
> at once it then becomes difficult to trace back command histories to a
> single user.
> 
> Outside of making users use sudo on a command by command basis (which
> would be a royal pain) I am not sure how to approach the problem.
> 
> Anyone have any thoughts on how I might accomplish this without causing
> a complete revolt?
> 
> Thanks, 
> 
> One confuzzled Admin
> 

Why can't the users run the application using their own accounts?
0
Richard
10/6/2006 3:01:40 AM
Reply:
Similar Artilces:

[ace-users] Infiniband
It's been quite a long time since I investigated the use of ACE for my projects. I am currently trying to integrated Infiniband into some of my projects and thought perhaps ACE supports InfiniBand.... Does it? Ed ...

Re: Proper use of proc logistic
... sounds like the three continuous _independent_ variables are "highly" correlated.. so should check relationships among them, and if so, consider one or two that make the most intuitive/theoretical/practical sense. Robin High UNMC cgoldhaw <cgoldhaw@HOTMAIL.COM> Sent by: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU> 10/14/2008 03:50 PM Please respond to cgoldhaw <cgoldhaw@HOTMAIL.COM> To SAS-L@LISTSERV.UGA.EDU cc Subject Proper use of proc logistic hey all! I am working with a dataset that has a binary outcome (diseased or not) and at leas...

User Logons
I know this is probably simple, but it's got me frustrated! How can I verify if a user is logged into the Domain at a specific point in time (real-time). I have a user that insists they are logged in under a domain ID on a machine that is in the domain. How can I verify if this is the case. The NET USER command gives me the last login time, but does not indicate of the logon is still active, or when the last logout time was. Any help would be appreciated! Ben Towers <bentrcb@yahoo.com> wrote in message news:1102588049.356563.135170@z14g2000cwz.googlegroups.com......

Some users cannot access my web site--firewall problem?
I'm running an archive of Jeopardy! clues and responses off of an OpenBSD/Apache server at j-archive.com. Some users have reported that they are never able to access the site. One user is able to access the site with his laptop from his parents' house, but not from his own house--and no settings are being changed on his laptop. Users that are unable to access the site (their browser gives them a "This page cannot be displayed" error) ARE able to successfully ping and tracert the server. My best guess is that there is some combination of firewall rules both from ...

This computer may not have been shut down properly
Hi, I've got an 8500 running 7.6.1. Everytime I start up I get the warning "This computer may not have been shut down properly the last time it was used". Well of course it was shut down properly. I get the error whether I shut down from the menu or by pressing the power key on the keyboard. I thought the problem might be a bad pram battery so I replaced that but it hasn't helped. I know I can turn the error off in the General Controls control panel, but to me that is just hiding the problem. Any ideas? Thanks, Doug In article <8e08cfb1-8689-44c3-8d...

[ciao-users] CoSMIC-0.4.6 released
Hi Folks, We are pleased to announce the release of CoSMIC version 0.4.6. Please download CoSMIC from: http://www.dre.vanderbilt.edu/CoSMIC/ Major improvements over CoSMIC-0.4.5, the previous release include: o A new "attribute mapping" feature which allows values for attributes to specified at the assembly level and allows propagation of the values to individual components in the assembly. o MPC interpreter now generates MPC files which are in-sync with the MPC config modules in $ACE_ROOT/bin/MakeProjectCreator/config o Improved constr...

Link styles not displaying properly in IE6, 7
Hello, I'm working on some link styles for this page: http://www.house.gov/velazquez/lh0205tres/reports.html I want all the links to always display in red (#CC0000), but in IE6 and 7 they display in gray. In FF and Opera they work fine. I've looked all over the code and can't find what might be causing this. Is it an IE quirk I don't know about? Thanks, Luis hestres wrote: > I'm working on some link styles for this page: > http://www.house.gov/velazquez/lh0205tres/reports.html > > I want all the links to always display in red (#CC0000),...

Re: [tao-users] Noticing an issue with ORB_init()
Hi Ashok, >We are facing a problem with ACE/TAO application after upgrading the >version of ACE/TAO from 5.2.1 to ACE-5.5 and TAO-1.5 running on >Redhat Linux ES4.0 upgrade 4 system. You're still using an old version of ACE+TAO. Please upgrade to ACE+TAO+CIAO x.6.6 (i.e., ACE 5.6.6, TAO 1.6.6, and CIAO 0.6.6), which you can download from http://download.dre.vanderbilt.edu under the heading: "Latest Micro Release Kit." The DOC groups at Washington University, UC Irvine, and Vanderbilt University only provide "best effort" support for non-s...

Wanted: generic deep copy for clone()
Object.clone() does a shallow copy. Nine times out of ten I want a deep copy. I'm fed up with writing my own deep copy code for each class. What I want is never to have to write deep copy clone methods again. Has anyone got some generic Object deep copy code - that will deep copy an arbitrary object - using reflection? I know that some objects might in principle require bizzare constructor or factory calls to copy. The hoped-for deep copy code is welcome to expect primitives, objects with clone methods - or collections or arrays of the above - and is welcome to throw some CloneChalle...

Booting Solaris 9 x86 in single user mode from the install CD
Hello, What is the procedure to boot in single user mode from the Solaris 9 x86 CD ? On SPARC I would only have to type boot cdrom -s but on x86 I'm somehow confused... Thanks synuw <syn_uw@nospam_hotmail.com> wrote: > Hello, > What is the procedure to boot in single user mode from the Solaris 9 x86 > CD ? After you get past the bus scan, and then pick the boot device, it should present you with a prompt to (b)oot or go (i)nteractive > Assuming you've picked the CD already as the device, just do a 'b -s' there. -- Darren Dunham ...

[ace-users] ACE_SOCK_Dgram
------=_Part_7414_31512524.1175598517075 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi la mailing list, I would like to know where I can find the source codes of ACE_SOCK_Dgram class best ragards, -Hassane ------=_Part_7414_31512524.1175598517075 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi la mailing list,<br>I would like to know where I can find the source codes of ACE_SOCK_Dgram class<br>&nbsp;best ragards,<br>-H...

how to talk with other user in LAN connect by dial-up?
somebody login in my machine by telnet .My OS is Debian 3.1 .His is Windows. we use the local area network,but the LAN is *not* connected by a wire. we all need to dial-up to the host ,the host let us can visit others. I want to use the unix tool talk to talk with him.but we can't establish the talk connections.If he use the tool talk is the same . My question is how can I talk with him,we are using different OS. any another good tool?or idea? thanks in advance. On 3 Mar 2006 22:32:38 -0800, DaVinci <apple.davinci@gmail.com> wrote: > somebody login in my machine by telnet ...

[tao-users] Transport Current
ACE Version: 5.5.4 (SVN head) TAO Version: 1.5.4 (SVN head) Tue Dec 19 22:09:34 UTC 2006 Iliyan Jeliazkov <iliyan@ociweb.com> * ACE_ROOT/bin/MakeProjectCreator/config/tc.mpb: Added a new project type for projects using the Transport Current functionality. My question is regarding the checking above. Since tc.mpb is a TAO project, shouldn't this base project go to: TAO_ROOT/MPC/config instead? Thanks, Abdul ...

Configuring Cisco hardware properly: netformx.com, anyone?!?
I am not sure if I am the only one, but I have a hell of a time keeping up with the latest and greatest in everything from Cisco, as far as modules and cards being available for all new models. I was thinking of buying an yearly subscription to netformx.com tool for Visio. Does anybody have any opinion (preferable based on personal experience) about its usefulness?!? Is anybody aware of equivalent tools (besides Cisco's online tool, which is of no use for my Visio diagrams, or proper bill of materials creation, let alone being cumbersome ...)? TIA, Papi papi without trying to hype the p...

Are iPhone users most intelligent?
iPhone users are more intelligent than Samsung, BlackBerry and HTC owners, finds survey. Ladbrokes created an online test designed to test people's wits. It challenged a thousand smartphone users to complete seven brainteasers iPhone users were fastest, completing the test in 94 seconds on average. While BlackBerry users had the slowest wits with a time of 118 seconds. <...> The brand of phone you buy can say a thing or two about your income and lifestyle, and now a new test has discovered it may also indicate how intelligent you are too. A thousand smartphone users we...

Winbind having problems with Windoze Server 2008 groups/users
Good evening, I am running a port of FreeBSD (FreeNAS) that is running SAMBA/winbind and is joined to a Windows Server 2008 domain. I, and a number of users on the FreeNAS forums, have encountered a problem when, after joining, mounting, sharing the drives, a user or administrator on the domain can create directories and files, but cannot change permissions (i.e. add users or groups permissions). Default permissions on the file and directories are root 777 and wheel 777. When trying to add users or groups or change owners of a file or directory, a dialog opens stating that you d...

Fields Not Displaying Properly
I've got the expression to kind of work but I need some help on it. The problem is Discount P is a Precentage but within the expression it returns a decimal. Problem 2 is Discount Type is a combo box and its displaying the first field which is bound and a number, I need the second field which is text. I'm getting this: ..01 4 Instead of this: 10% Manager Discount =[Discount P] & " " & [Discount Type] Thanks DS See my response to your other post for the 2nd problem. To deal with the percent try ComboBox3 = [Discount Type].Column(1) & " " &a...

Proper quitting
sorry, but have to ask, as if this is asnwered directly in the FAQ i missed it. when my Perl program terminates, is there anything i "must" free? it just doesn't seem it. and i love that, but the world i came from (windows) you really needed to be dilligent about cleaning up after yourself. so i guess i just really needed to be sure about those situations here in Perl, between using "my", creating, references, etc. the closest i came to finding was this "How can I free an array or hash so my program shrinks?" but that didn't answer my question directl...

[ace-users] Deadline Message Queue Test
ACE VERSION: 5.5 HOST MACHINE and OPERATING SYSTEM: Fedora Core 3 on Intel SYNOPSIS: Trying to get Deadline_Message_Queue to work DESCRIPTION: I write a simple problem to test Deadline_Message_Queue. I must have done something stupid here since it doesn't work. The deadline doesn't seem to get set at all. My code and output is below: /////////////////// CODE ///////////////////// #include "ace/Log_Msg.h" #include "ace/Message_Queue.h" #include "ace/Message_Block.h" #include "ace/Thread_Manager.h" #inc...

Env Proper
I feel compelled to edit /etc/profile to add ${HOME}/bin to PATH and maybe export some other stuff but then I remembered I'm a newbie. So I suppose I should ask - how is one supposed to modify their environment properly w/ OSX? Assuming I think of a good reason to modify the systemwide rc files where would I do that considering /etc appears to be a link to my private directory? Also, is it realistic to do everything using sudo? How do I install the POSIX-level libs I'm developing? Thanks, Mike In article <mba2000-E34499.23412221022005@comcast.dca.giganews.com...

[ace-users] Spawning Process / Reactor
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C54EEC.351F4ABE Content-Type: text/plain Hi, I've got problems with the following code. The code ran well, but now I need to use the Reactor, and the code won't run anymore. I'm starting the pppd with this code, and with the Reactor (handle_events ()) running, the pppd doesn't start, and the wait() never returns. What I noticed is, that the handle_events () method of the Reactor returns after spawn () ing th...

[tao-users] How to determine if a named ORB already exist.
--000e0cd63814afcdee04945052d2 Content-Type: text/plain; charset=ISO-8859-1 TAO VERSION: 5.8.2 ACE VERSION: HOST MACHINE and OPERATING SYSTEM: RHEL 5 TARGET MACHINE and OPERATING SYSTEM, if different from HOST: N/A COMPILER NAME AND VERSION (AND PATCHLEVEL): N/A THE $ACE_ROOT/ace/config.h FILE : N/A THE $ACE_ROOT/include/makeinclude/platform_macros.GNU FILE : N/A BUILD METHOD USED: traditional makefile CONTENTS OF $ACE_ROOT/bin/MakeProjectCreator/config/default.features (used by MPC when you generate your own makefiles): AREA/...

Problems getting DLL Functioncalls to work properly
I am having trouble to get DLL function calls to work properly on my system. To start with the examples in the help documentation do not work: In[3]:= Needs["NETLink`"] In[6]:= NETLink[] Out[6]= LinkObject["C:\\Program Files\\Wolfram \ Research\\Mathematica\\8.0\\SystemFiles\\Links\\NETLink\\\ InstallableNET.exe", 16, 8] In[7]:= getTickCount = DefineDLLFunction["GetTickCount", "kernel32.dll", "int", {}] Out[7]= Function[Null, If[NETLink`DLL`Private`checkArgCount["GetTickCount", {##1}, 0], Wolfram`NETLink`DynamicD...

Multi-User gaming behind NAT firewall
I'm having a problem getting something to work with Call of Duty. I have a simeple network setup with 2 LAN PC's behind a Dell Truemobiule 2300 Router with a NAT firewall. I was trying to setup a Call Of Duty game with 2 other internet users and my roommate inside the LAN. So we had 2 internal gamers and 2 external gamers. Whenever I setup the server, the outside users could connect with the port forwarding to my PC, say 10.1.1.2. That worked well but I wanted my roommate to be able to play as well. I tried forwarding the same port to 10.1.1.3 & 10.1.1.2 but that didn't...

proper way to export templates
(I'm breaking this away from the "recommend a good way..." thread since it is more precise in what I am asking). From the standard I am not clear on how to use the "export" keyword for templates. Do I need to just mark the declaration "export", or do I also have to export the specializations? <header> export template<typename T> T ReadFile( const FileObj& ); <src1> #include "header" template<typename T> T ReadFile( const FileObj& ) { /* STd Def*/ } <src2> #include "header" template<> MyOb...