f



how to properly audit generic user accounts

Hi All,

I am trying to figure out a way to properly audit generic application
accounts to tie them to the named user as it has become an audit issue
that I need to implement. To date, a named user will sudo into the
generic user account. if a shell is launched, sudo will log that event,
but nothing beyond that.

Since multiple users may login as the generic applicaiton user account
at once it then becomes difficult to trace back command histories to a
single user.

Outside of making users use sudo on a command by command basis (which
would be a royal pain) I am not sure how to approach the problem.

Anyone have any thoughts on how I might accomplish this without causing
a complete revolt?

Thanks, 

One confuzzled Admin

0
10/5/2006 1:59:09 PM
comp.unix.solaris 26022 articles. 2 followers. Post Follow

7 Replies
1762 Views

Similar Articles

[PageSpeed] 16

"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>I am trying to figure out a way to properly audit generic application
>accounts to tie them to the named user as it has become an audit issue
>that I need to implement. To date, a named user will sudo into the
>generic user account. if a shell is launched, sudo will log that event,
>but nothing beyond that.

Solaris Auditing allows you to attribute all commands to the original
user who logged in, even after sudo.

>Since multiple users may login as the generic applicaiton user account
>at once it then becomes difficult to trace back command histories to a
>single user.

Not if you use Solaris Auditing, unless you allow direct logins to
such accounts (which you should not)

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Casper
10/5/2006 2:48:08 PM
Hi Casper,

Thank You for the head's up! I will check it out. Is this difficult to
implement? Could you refer me to any resorces on solaris auditing?

Cheers, 

One Confuzzled Admin

0
adeviantsubcultureof
10/5/2006 3:16:15 PM
Casper H.S. Dik wrote:
> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>
> >I am trying to figure out a way to properly audit generic application
> >accounts to tie them to the named user as it has become an audit issue
> >that I need to implement. To date, a named user will sudo into the
> >generic user account. if a shell is launched, sudo will log that event,
> >but nothing beyond that.
>
> Solaris Auditing allows you to attribute all commands to the original
> user who logged in, even after sudo.
>
> >Since multiple users may login as the generic applicaiton user account
> >at once it then becomes difficult to trace back command histories to a
> >single user.
>
> Not if you use Solaris Auditing, unless you allow direct logins to
> such accounts (which you should not)
>
> Casper
> --
> Expressed in this posting are my opinions.  They are in no way related
> to opinions held by my employer, Sun Microsystems.
> Statements on Sun products included here are not gospel and may
> be fiction rather than truth.

Hi Casper,

One other thing in a heterogenous environment could you suggest an
alternative for linux servers?

0
adeviantsubcultureof
10/5/2006 3:58:52 PM
"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>Hi Casper,

>Thank You for the head's up! I will check it out. Is this difficult to
>implement? Could you refer me to any resorces on solaris auditing?

No, but it generates a lot of output if you are not careful.

docs.sun.com has a whole section on Solaris auditing.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Casper
10/5/2006 7:09:34 PM
In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
 "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> 
 "wrote:

> Casper H.S. Dik wrote:
> > "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
> >
> > >I am trying to figure out a way to properly audit generic application
> > >accounts to tie them to the named user as it has become an audit issue
> > >that I need to implement. To date, a named user will sudo into the
> > >generic user account. if a shell is launched, sudo will log that event,
> > >but nothing beyond that.
> >
> > Solaris Auditing allows you to attribute all commands to the original
> > user who logged in, even after sudo.
> >
> > >Since multiple users may login as the generic applicaiton user account
> > >at once it then becomes difficult to trace back command histories to a
> > >single user.
> >
> > Not if you use Solaris Auditing, unless you allow direct logins to
> > such accounts (which you should not)
> >
> > Casper
> > --
> > Expressed in this posting are my opinions.  They are in no way related
> > to opinions held by my employer, Sun Microsystems.
> > Statements on Sun products included here are not gospel and may
> > be fiction rather than truth.
> 
> Hi Casper,
> 
> One other thing in a heterogenous environment could you suggest an
> alternative for linux servers?

That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
written into Linux.  Or write your own version.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
10/5/2006 7:20:45 PM
On 2006-10-05 20:20:45 +0100, Michael Vilain <vilain@spamcop.net> said:

> In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
>  "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com>  "wrote:
> 
>> Casper H.S. Dik wrote:
>>> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>>> 
>>>> I am trying to figure out a way to properly audit generic application
>>>> accounts to tie them to the named user as it has become an audit issue
>>>> that I need to implement. To date, a named user will sudo into the
>>>> generic user account. if a shell is launched, sudo will log that event,
>>>> but nothing beyond that.
>>> 
>>> Solaris Auditing allows you to attribute all commands to the original
>>> user who logged in, even after sudo.
>>> 
>>>> Since multiple users may login as the generic applicaiton user account
>>>> at once it then becomes difficult to trace back command histories to a
>>>> single user.
>>> 
>>> Not if you use Solaris Auditing, unless you allow direct logins to
>>> such accounts (which you should not)
>>> 
>>> Casper
>>> --
>>> Expressed in this posting are my opinions.  They are in no way related
>>> to opinions held by my employer, Sun Microsystems.
>>> Statements on Sun products included here are not gospel and may
>>> be fiction rather than truth.
>> 
>> Hi Casper,
>> 
>> One other thing in a heterogenous environment could you suggest an
>> alternative for linux servers?
> 
> That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
> written into Linux.  Or write your own version.

Or upgrade to Solaris and run your legacy Linux stuff in BrandZ zones.

Cheers,

Chris

0
Chris
10/5/2006 8:08:48 PM
adeviantsubcultureof1@gmail.com wrote:

> Hi All,
> 
> I am trying to figure out a way to properly audit generic application
> accounts to tie them to the named user as it has become an audit issue
> that I need to implement. To date, a named user will sudo into the
> generic user account. if a shell is launched, sudo will log that event,
> but nothing beyond that.
> 
> Since multiple users may login as the generic applicaiton user account
> at once it then becomes difficult to trace back command histories to a
> single user.
> 
> Outside of making users use sudo on a command by command basis (which
> would be a royal pain) I am not sure how to approach the problem.
> 
> Anyone have any thoughts on how I might accomplish this without causing
> a complete revolt?
> 
> Thanks, 
> 
> One confuzzled Admin
> 

Why can't the users run the application using their own accounts?
0
Richard
10/6/2006 3:01:40 AM
Reply: