HPE Community
Operating System - HP-UX
1833294 Members
3060 Online
110051 Solutions
New Discussion

Re: root user issues

 
Gerald Bush_2
Occasional Advisor

‎09-06-2002 06:35 PM

‎09-06-2002 06:35 PM

root user issues

Hi everyone,
I have an issue maybe you can help me with. I have a root level access user that I suspect is preparing for the coming eventuality that he is going to be fired. At this point I have changed his acccess to an account with root priviledges and killed a few of the scripts he uses on a regular basis.

My issue is I do not want to alert him that I am tracking his movements in my servers. My questions are as follows:

1) Will changing to a trusted system so I can turn on auditing effect/affect anything else in the system?

2) I really do not want to make the change to a trusted system simply because I think it would be a tip off to him that something was going on. Is there a way to track him in the system without changing to a trusted system.

3) Unfortunately my boss still trusts him and until I can come up with some hard proof that he is doing things he shouldnt be doing I don't have a leg to stand on in presenting my case to my boss. Suggestions?

Gerald Bush
0 Kudos
Reply
6 REPLIES 6
Rodney Hills
Honored Contributor

‎09-06-2002 07:40 PM

‎09-06-2002 07:40 PM

Re: root user issues

1) Yes it won't work with NIS, password files are managed differently.

2) If this person is fairly sophisticated they would know. Otherwise you can turn on "history" and collect his/her shell commands. Or you can start their shell in a "script" command and collect all the input/output going to the terminal. You could also install a software like "tripwire" to monitor changes to critical files.

3) Why does this user need root access. If you installed "sudo", then this person could be restricted to certain applications/commands that you can specify. Otherwise, I'd make sure your backups are good each night (just in case).

Hope this helps...

-- Rod Hills
There be dragons...
0 Kudos
Reply
Michael Tully
Honored Contributor

‎09-07-2002 02:25 PM

‎09-07-2002 02:25 PM

Re: root user issues

One thing you could is run a script that monitors changes to various system files. I'll dig it out for you Monday morning my time. At least if you track system config changes, your system could be safe. Other than turning on auditing, there is not much you can do.
Make sure that you have up to date ignite tapes cut as well. Disgruntled employees can cause some big problems, so try to prevent any possible damage by minimising the risks.
Anyone for a Mutiny ?
0 Kudos
Reply
Allan Pincus
Frequent Advisor

‎09-11-2002 11:42 AM

‎09-11-2002 11:42 AM

Re: root user issues

I don't know how your company works, but maybe you should come clean with the guy and tell him your concerns, or report your concerns to HR. There are ways of dealing with this.

Any other advice on this forum might be inappropriate.

- Allan
0 Kudos
Reply
Anil C. Sedha
Trusted Contributor

‎09-11-2002 12:21 PM

‎09-11-2002 12:21 PM

Re: root user issues

Hi,

I agree with Rodney, when he asks you to turn on the history feature for that user. Even if he is knowledgeable about unix, he might not worry about looking what his history size is.

You may probably put a large output value for his history and then run a script to copy his history of commands into your directory. This way he won't be able to read much into what you are doing.

Don't change anything, else he might get to know.

You may turn on tips to your boss, by showing him some changes done on your sytems if he is seriously affecting anything. Then let your boss decide. Don't pressure your boss into thinking against him. Just let him know that some things went wrong and it was the guy who did it.

Regards,
Anil (Don't forget to assign points for valuable answers)
If you need to learn, now is the best opportunity
0 Kudos
Reply
Gerald Bush_2
Occasional Advisor

‎09-11-2002 12:31 PM

‎09-11-2002 12:31 PM

Re: root user issues

Thanks guys.
Actually in one form or another I have implimented all of your sugggestions either previously ( history and critical file mtime ).

I have assigned points to all except the HR suggestion simply because the HR suggestion is not an option at this point. (data collection before action).

Thanks again.
Gerald
0 Kudos
Reply
Nick Wickens
Respected Contributor

‎09-12-2002 01:54 AM

‎09-12-2002 01:54 AM

Re: root user issues

Keeping an eye on the .sh_history files will as has been suggested help but this file can of course be updated by root to hide tracks.

What you could do is have a script running regularly (ideally on an other server loging in remotely) which looks for changes in roots .sh_history file and immediatly mails the contents of the history file or if you are clever just differences in the file, to an external mail server that your suspect root user does not have access to.
Hats ? We don't need no stinkin' hats !!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.