how to properly audit generic user accounts

  • Permalink
  • submit to reddit
  • Email
  • Follow


Hi All,

I am trying to figure out a way to properly audit generic application
accounts to tie them to the named user as it has become an audit issue
that I need to implement. To date, a named user will sudo into the
generic user account. if a shell is launched, sudo will log that event,
but nothing beyond that.

Since multiple users may login as the generic applicaiton user account
at once it then becomes difficult to trace back command histories to a
single user.

Outside of making users use sudo on a command by command basis (which
would be a royal pain) I am not sure how to approach the problem.

Anyone have any thoughts on how I might accomplish this without causing
a complete revolt?

Thanks, 

One confuzzled Admin

0
Reply adeviantsubcultureof1 (5) 10/5/2006 1:59:09 PM

See related articles to this posting


"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>I am trying to figure out a way to properly audit generic application
>accounts to tie them to the named user as it has become an audit issue
>that I need to implement. To date, a named user will sudo into the
>generic user account. if a shell is launched, sudo will log that event,
>but nothing beyond that.

Solaris Auditing allows you to attribute all commands to the original
user who logged in, even after sudo.

>Since multiple users may login as the generic applicaiton user account
>at once it then becomes difficult to trace back command histories to a
>single user.

Not if you use Solaris Auditing, unless you allow direct logins to
such accounts (which you should not)

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Reply Casper 10/5/2006 2:48:08 PM

Hi Casper,

Thank You for the head's up! I will check it out. Is this difficult to
implement? Could you refer me to any resorces on solaris auditing?

Cheers, 

One Confuzzled Admin

0
Reply adeviantsubcultureof 10/5/2006 3:16:15 PM

Casper H.S. Dik wrote:
> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>
> >I am trying to figure out a way to properly audit generic application
> >accounts to tie them to the named user as it has become an audit issue
> >that I need to implement. To date, a named user will sudo into the
> >generic user account. if a shell is launched, sudo will log that event,
> >but nothing beyond that.
>
> Solaris Auditing allows you to attribute all commands to the original
> user who logged in, even after sudo.
>
> >Since multiple users may login as the generic applicaiton user account
> >at once it then becomes difficult to trace back command histories to a
> >single user.
>
> Not if you use Solaris Auditing, unless you allow direct logins to
> such accounts (which you should not)
>
> Casper
> --
> Expressed in this posting are my opinions.  They are in no way related
> to opinions held by my employer, Sun Microsystems.
> Statements on Sun products included here are not gospel and may
> be fiction rather than truth.

Hi Casper,

One other thing in a heterogenous environment could you suggest an
alternative for linux servers?

0
Reply adeviantsubcultureof 10/5/2006 3:58:52 PM

"adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:

>Hi Casper,

>Thank You for the head's up! I will check it out. Is this difficult to
>implement? Could you refer me to any resorces on solaris auditing?

No, but it generates a lot of output if you are not careful.

docs.sun.com has a whole section on Solaris auditing.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
0
Reply Casper 10/5/2006 7:09:34 PM

In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
 "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> 
 "wrote:

> Casper H.S. Dik wrote:
> > "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
> >
> > >I am trying to figure out a way to properly audit generic application
> > >accounts to tie them to the named user as it has become an audit issue
> > >that I need to implement. To date, a named user will sudo into the
> > >generic user account. if a shell is launched, sudo will log that event,
> > >but nothing beyond that.
> >
> > Solaris Auditing allows you to attribute all commands to the original
> > user who logged in, even after sudo.
> >
> > >Since multiple users may login as the generic applicaiton user account
> > >at once it then becomes difficult to trace back command histories to a
> > >single user.
> >
> > Not if you use Solaris Auditing, unless you allow direct logins to
> > such accounts (which you should not)
> >
> > Casper
> > --
> > Expressed in this posting are my opinions.  They are in no way related
> > to opinions held by my employer, Sun Microsystems.
> > Statements on Sun products included here are not gospel and may
> > be fiction rather than truth.
> 
> Hi Casper,
> 
> One other thing in a heterogenous environment could you suggest an
> alternative for linux servers?

That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
written into Linux.  Or write your own version.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Reply Michael 10/5/2006 7:20:45 PM

On 2006-10-05 20:20:45 +0100, Michael Vilain <vilain@spamcop.net> said:

> In article <1160063932.599664.147260@h48g2000cwc.googlegroups.com>,
>  "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com>  "wrote:
> 
>> Casper H.S. Dik wrote:
>>> "adeviantsubcultureof1@gmail.com" <adeviantsubcultureof1@gmail.com> writes:
>>> 
>>>> I am trying to figure out a way to properly audit generic application
>>>> accounts to tie them to the named user as it has become an audit issue
>>>> that I need to implement. To date, a named user will sudo into the
>>>> generic user account. if a shell is launched, sudo will log that event,
>>>> but nothing beyond that.
>>> 
>>> Solaris Auditing allows you to attribute all commands to the original
>>> user who logged in, even after sudo.
>>> 
>>>> Since multiple users may login as the generic applicaiton user account
>>>> at once it then becomes difficult to trace back command histories to a
>>>> single user.
>>> 
>>> Not if you use Solaris Auditing, unless you allow direct logins to
>>> such accounts (which you should not)
>>> 
>>> Casper
>>> --
>>> Expressed in this posting are my opinions.  They are in no way related
>>> to opinions held by my employer, Sun Microsystems.
>>> Statements on Sun products included here are not gospel and may
>>> be fiction rather than truth.
>> 
>> Hi Casper,
>> 
>> One other thing in a heterogenous environment could you suggest an
>> alternative for linux servers?
> 
> That's easy.  Upgrade to Solaris.  Or ask Linus for this facility to be 
> written into Linux.  Or write your own version.

Or upgrade to Solaris and run your legacy Linux stuff in BrandZ zones.

Cheers,

Chris

0
Reply Chris 10/5/2006 8:08:48 PM

adeviantsubcultureof1@gmail.com wrote:

> Hi All,
> 
> I am trying to figure out a way to properly audit generic application
> accounts to tie them to the named user as it has become an audit issue
> that I need to implement. To date, a named user will sudo into the
> generic user account. if a shell is launched, sudo will log that event,
> but nothing beyond that.
> 
> Since multiple users may login as the generic applicaiton user account
> at once it then becomes difficult to trace back command histories to a
> single user.
> 
> Outside of making users use sudo on a command by command basis (which
> would be a royal pain) I am not sure how to approach the problem.
> 
> Anyone have any thoughts on how I might accomplish this without causing
> a complete revolt?
> 
> Thanks, 
> 
> One confuzzled Admin
> 

Why can't the users run the application using their own accounts?
0
Reply Richard 10/6/2006 3:01:40 AM
comp.unix.solaris 25788 articles. 87 followers. Post

7 Replies
1017 Views

Similar Articles

[PageSpeed] 40


  • Permalink
  • submit to reddit
  • Email
  • Follow


Reply:

Similar Artilces:

Auditing user accounts
Hello all Is there any other possibility for auditing of user accounts different than observing changes in files like /etc/passwd, /etc/group, /etc/security/user? I haven't found such event in AIX auditing system. -- Regards Filip Kata On Fri, 26 Oct 2007 14:26:46 +0200, Filip Kata wrote: > Hello all > > Is there any other possibility for auditing of user accounts different > than observing changes in files like /etc/passwd, /etc/group, > /etc/security/user? I haven't found such event in AIX auditing system. What would you like to do with them? If you're ru...

Auditing of User Accounts stored in "SunOne 5.2 LDAP".
Hello all, We are using SunOne 5.2 LDAP in conjunction with Cognos 8. SunOne 5.2 LDAP is used for managing user accounts/accesses of Cognos users. Now we have a requirement in one of the projects: "Any changes made to any user account (Cognos user account) must have an audit trail." Let me give an example, User ABCD is created on 1-Mar-07 User ABCD is given access to READ/TRAVERSE on 2-MAR-07 USER ABCD is given WRITE access on 3-MAR-07 User ABCD is deleted on 4-Mar-07 So if anyone wants to do an audit trail for user ABCD , he should get all the above records. My first question...

3 user accounts; 4 user folders
Hi All, OS 10.3.4 on a PBG4 (8 weeks old) there are 3 user accounts, but 4 user folders in Users (in addition to the Shared user folder) The user that is the problem, has a user folder with its full user name (Jo User), and an additional user folder at the same level, with the user account's shortname (jo); the documnets are the same in both. I have previously deleted the 'shortname' folder, after doing permissions and Disk Repair checks. Yet it has re-appeared. AppleSupport was a little perplexed by this one. Any ideas? regards Chris Brown Neurosurgery University of A...

How to get the user account of a web user in LotusScript ?
In LotusScript, I need to check some little things using the NotesACLEntry (I'm making a simple access control procedure) In Notes, no problem I can use the UserName property of the NotesSession class. But when the user is logged through a web client, this property returns the account of the server, so how can I get the real account of the user ? "Pierre Goiffon" <pgoiffon@nowhere.invalid> wrote in message news:<4097986b$0$20761$626a14ce@news.free.fr>... > In LotusScript, I need to check some little things using the NotesACLEntry > (I'm making a s...

Setting up User with Read Privileges on all other User accounts
We have setup a Linux Server where all User accounts reside under "/home" directory. We need to setup one user with read access to /home and all its sub-directories. Example 1) jadam Dir: /home/jadam drwx------ 2) ksmith Dir: /home/ksmith drwx------ 3) plu Dir: /home/plu drwx------ .... .... The new user account "superuser" should be able to read all files, folders of all users in the system. I dont want to assign UID=0 to this user. Thanks in advance "Rath.Yelandur" <Rath.Yelandur@Say.No.To.Spam> wrote in ...

LDAP user account without local account
After reading the article titled "Authentication of user accounts on OpenBSD using LDAP via RADIUS" it appears that in order to authenticate a user via LDAP you must first add the user to the local user list with a blank password field which then forces the user to authenticate via LDAP assuming authentication is configured properly. Is this correct? My ultimate goal is to be able to authenticate users via Kerberos when their user records reside in LDAP and not on the local OpenBSD machine. Is this even possible? Thanks in advance, Wil Harper On Wed, 30 Nov 2...

Configuring user mailboxes or user accounts in Mercury
Hello, I'm just getting familiar with Mercury. I'm using it for a project at a Hospital I consult for. I've purchased a support package, but, unfortunately, the Pmail people are having hardware problems. I want to push forward, so I hope someone can help me with my probably basic question. What I want to do is have Mercury running on a Windows server, as an SMTP server, to receive email addressed to XYZ@epage.hospital.org . I've picked Mercury as the server program for this task because of its support for "domain mailboxes". I want to configure things so ...

AD integration: computer account vs. user account?
Using information found here (thank you, all!) and on various sites across the Internet, I have managed to get Red Hat Linux 9 authenticating to Active Directory via Kerberos (it uses LDAP to look up the user and group information). One quick question: I had to create a user account for the Linux host and use ktpass to generate the keytab. Is there any way to use a computer account instead of a user account? Many thanks in advance for any help anyone can provide. -- Scott Lowe > Is there any way to use a computer account instead of a user account? of course: assume 'linux...

forward email of exsisting user to another user account
hi all, i am new to lotus notes and i have a task here. i need to forward all the emails coming in to an ex-user account's mailbox to another new user account mailbox. currently what we are doing is manually, one by one, forward all exisiting emails from the ex user account to the new user account. this is very troublesome and time consuming. i heard that there is a way to transfer, direct all emails from one account to another in lotus notes relating to the .nsf files. can anyone advise me on what should i do and the steps and methods to take? i appreciate your time...

Net Users utility (many user accounts in a single step)
Selling a useful software to manage user accounts of a server. This software has called "Net Users utility" It can create in a Domain Server a list of user accounts in a single step. Users are taked from an Access database that contains the following fields: 1) username, 2) password, 3) displayname, (i.e. first name last name) 4) homedrive, (i.e. Z:) 5) homepath, (i.e. \\ServerName\Utente$) 6) profilepath, (i.e. \\ServerName\Profiles$\Utente) 7) allowtimes, (es. M-F,9-12,13-17 = from monday to friday, from 9 to 12 and from 13 to 17) Available the source code in VB6. All intereste...

deleting user account: disposition of user's files?
If I delete a user's account, either manually or with userdel, what happens to files the user owns? (I.e., the system will see them as being owned by someone who doesn't exist; is that a problem?) Also, some info out there claims that if you don't change ownership, you could have a problem because if the userid is recycled, the new user will automatically inherit the files of the defunct user. Somewhere else it sounded like some systems prevent this by preventing userids from being recycled. What's the convention with SunOs 5.9? TIA, sjfromm sinister wrote: >...

How to audit an account ?
I would like to log all the commands that a particular user account is issuing. Is this possible under RHEL3 and if so, what docs should I read ? Thanks G Dahler <gd-nntp3@spamex.com> wrote: > I would like to log all the commands that a particular user account is > issuing. Process accounting (I presume you don't mean exactly what you say - I presume you meant to say you'd like to look at the log of all the shell commands issued by a particular user from his login shell. That's trivially easy. But it's pretty meaningless, as most "commands", say gui ...

user account
Hi How can I limit the user directory access for only paths under his user directory /home/user/..... I dont want the user to access any directory above /home/user/. Thanks a wrote: > Hi > > How can I limit the user directory access for only paths under his user > directory /home/user/..... > I dont want the user to access any directory above /home/user/. > > Thanks > > man chroot Of course he won't be able to use any PROGRAMS either.. "The Natural Philosopher" <a@b.c> ???????:1185746140.27708.2@damia.uk.clara.net... > a wrote: > ...

User Account
Is there a way of finding out a list of users that was setup for a certain period of time? Thanks,Daddo In <1177437534.504186.64730@o40g2000prh.googlegroups.com> gr8life@joltmail.com writes: > Is there a way of finding out a list of users that was setup for a > certain period of time? It's unclear exactly what you're asking for. Do you want to know ... when users were created? ... when users will be removed in the future? ... when users were removed in the past? -- John Gordon A is for Amy, who fell down the stairs gordon@panix.com ...

User accounts
OK, this has most likely been asked and answered several times, but I am still confused after searching. Here is the background and situation: Background: I know nothing about sendmail. It is being set up on the system by someone else on a Red Hat Linux system. I know Unix, but it has been a while and I am not an expert on that OS. I have programmed for a long time, but am relatively new to web programming. The Task: From a web page take the user's information and, among other things, -- create a sendmail account but -- not have shell access. Only have access to the mail. Path: I w...

Account or users
I have 3 email accounts set up and I have them setup in the persona area. They work great i have had them working for a while but is it posable to have there name show up so i know waht account they have come from in the inbox? so in the inbox where the send and subject are could you have an account icon there for account or user? Bruce Bruce wrote: > I have 3 email accounts set up and I have them setup in the persona > area. They work great i have had them working for a while but is it > posable to have there name show up so i know waht account they have > come fro...

Net Users utility (many user accounts in a single step)
Selling a useful software to manage user accounts of a server. This software has called "Net Users utility" It can create in a Domain Server a list of user accounts in a single step. Users are taked from an Access database that contains the following fields: 1) username, 2) password, 3) displayname, (i.e. first name last name) 4) homedrive, (i.e. Z:) 5) homepath, (i.e. \\ServerName\Utente$) 6) profilepath, (i.e. \\ServerName\Profiles$\Utente) 7) allowtimes, (es. M-F,9-12,13-17 = from monday to friday, from 9 to 12 and from 13 to 17) Available the source code in VB6. All intereste...

User Accounts
I have an NT4.0 domain network. I want to backup my domain user accounts so I can use them in a disaster recovery situation. Is this possible? How? Rich Friedel The Hartford Try this: ADDUSERS.EXE in the NT4 resource kit http://support.microsoft.com/default.aspx?scid=kb;en-us;199878 "Rich Friedel" <rich.friedel@thehartford.com> wrote in message news:f8d80d8b.0310300452.65476141@posting.google.com... > I have an NT4.0 domain network. I want to backup my domain user > accounts so I can use them in a disaster recovery situation. Is this > possible? ...

user account
Hi, I have a problem with a user account. The user was added under user accounts on a local machine so that I could give them administrator priveleges. This worked fine as it asked me for the admin password etc and she was successfully added. This then required that the user log on and back on to take effect which also worked fine but the next day when the user turned the system back on she I checked and she had been removed from the user accounts section which meant she no longer had administrator priveleges. Does anyone know how to stop this as I have never heard of it before ...

User account
Hello all, I use the following to get the user logon name, but it only extracts the Windows account name. This is fine if the desktop is syncronised to the Network account (eg: by the use of Zenworks), but some installations do not do this and use a generic desktop login and then the users login into the network. I need to read the network user account and not the desktop account. Does anyone know how this can be done? LOCAL RetVal AS LOGIC LOCAL nBuffLength := 25 AS DWORD LOCAL sNameBuff := Space(25) AS STRING RetVal := GetUserName(sNameBuff, @nBuffLength) RETURN P...

forward email of exsisting user to another user account #2
hi all, i am new to lotus notes and i have a task here. i need to forward all the emails coming in to an ex-user account's mailbox to another new user account mailbox. currently what we are doing is manually, one by one, forward all exisiting emails from the ex user account to the new user account. this is very troublesome and time consuming. i heard that there is a way to transfer, direct all emails from one account to another in lotus notes relating to the .nsf files. can anyone advise me on what should i do and the steps and methods to take? i appreciate your time...

Net Users utility (many user accounts in a single step)
Selling a useful software to manage user accounts of a server. This software has called "Net Users utility" It can create in a Domain Server a list of user accounts in a single step. Users are taked from an Access database that contains the following fields: 1) username, 2) password, 3) displayname, (i.e. first name last name) 4) homedrive, (i.e. Z:) 5) homepath, (i.e. \\ServerName\Utente$) 6) profilepath, (i.e. \\ServerName\Profiles$\Utente) 7) allowtimes, (es. M-F,9-12,13-17 = from monday to friday, from 9 to 12 and from 13 to 17) Available the source code in VB6. ...

How to turn off public key access for user accounts, but allow for system accounts?
I'm managing a server with a number of users. We've had security problems with users using authorized-keys to make it easy to for themselves to jump on from their home machines. Someone had their home machine rooted and the cracker got on to our server. Of course the users should really be using encrypted private keys with ssh-agent, but I don't know how to enforce this. What I would like to do is to establish a policy for who is allowed to use public key authentication. In general we want to turn off access for normal users, but allow access for system accounts such as rsync bac...

ControlPanel->User Account does not show new accounts created by my program .
Hi all, I am trying to creating user accounts in Windows XP thru VC++ programming. Below I have pasted 2 function implementation which of one gives available login names and another creates new login account. My problem is, the CreateUserAccount() function creates new account successfully, but ControlPanel->User Account does not show my program created new accounts. And also in windows login screen does not show my new accounts. But GetLoginNames() gives new account name also. Whats going on wrong? /* My GetLoginNames() function includes service accounts. i.e., (...