Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Give root access but log everything

Discussion in 'System Administration' started by elargento, Aug 4, 2017.

  1. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    8:26 AM
    10
    I was wondering to know if it is possible to give root access to someone I don't know too much but offered to help me and log all the commands he runs on the server.

    Any suggestions?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,146
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    9:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  3. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    1:26 PM
    + 1 for @eva2000 suggestion.

    @elargento But keep in mind that:
    As giving root to others, is all about trust.
    As you don't know this person too much.

    You should or could block SMTP if possible at least, at the beginning (if server purpose allows it).
    You could block SMTP at the client panel of every noteworthy server service provider.

    Not to talk about fear but the above case is ideal for spammers to get a free spam machine.
    And you see this much more often nowadays.
    Problem is that you "don't know too much" so intervene from your side if it goes wrong is difficult.

    But the fact is that in case of spamming you are responsible.
    You could in case of ... send the server service provider Auditd logs but the most server service providers don't care.

    As you are the contractor, you signed the conditions and so you are responsible and only you.
    The sieve and the possible fine is for you.

    Even how annoying and unjust it could be.
    So think about it carefully before you start.
     
    Last edited: Aug 4, 2017
    • Like Like x 1
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,146
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    9:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah root access is all about trust.

    Quick example on CentOS 7, with tools/auditd.sh to setup and run tools/addsudousers.sh to add a sudo user named = george
    Code (Text):
    echo "AUDITD_ENABLE='y'" >> /etc/centminmod/custom_config.inc
    cd /usr/local/src/centminmod
    git stash
    git pull
    tools/auditd.sh setup
    tools/addsudousers.sh george
    

    Then I logged in as that new sudo user = george.

    The auditd logging reveals the log entries for the actual adduserusers.sh script which included invoking the useradd/usermod/passwd commands by root user as well as the sshd command for logging in as sudo user = george

    george id/group
    Code (Text):
    id george
    uid=1002(george) gid=1002(george) groups=1002(george),10(wheel)
    


    list syscalls itemised for timestamp after 13:21
    Code (Text):
    aureport -f -i -ts 13:21
    
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 08/04/2017 13:21:51 /usr/sbin/useradd execve yes /usr/sbin/useradd root 227
    2. 08/04/2017 13:21:51 /etc/passwd.2837 link yes /usr/sbin/useradd root 228
    3. 08/04/2017 13:21:51 /etc/passwd open yes /usr/sbin/useradd root 229
    4. 08/04/2017 13:21:51 /etc/group.2837 link yes /usr/sbin/useradd root 230
    5. 08/04/2017 13:21:51 /etc/group open yes /usr/sbin/useradd root 231
    6. 08/04/2017 13:21:51 /etc/gshadow.2837 link yes /usr/sbin/useradd root 232
    7. 08/04/2017 13:21:51 /etc/shadow.2837 link yes /usr/sbin/useradd root 233
    8. 08/04/2017 13:21:51 /var/log/lastlog open yes /usr/sbin/useradd root 235
    9. 08/04/2017 13:21:52 /etc/passwd ? yes ? root 237
    10. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/useradd root 238
    11. 08/04/2017 13:21:52 /etc/group ? yes ? root 239
    12. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/useradd root 240
    13. 08/04/2017 13:21:52 /usr/sbin/usermod execve yes /usr/sbin/usermod root 242
    14. 08/04/2017 13:21:52 /etc/passwd.2842 link yes /usr/sbin/usermod root 243
    15. 08/04/2017 13:21:52 /etc/passwd open yes /usr/sbin/usermod root 244
    16. 08/04/2017 13:21:52 /etc/shadow.2842 link yes /usr/sbin/usermod root 245
    17. 08/04/2017 13:21:52 /etc/group.2842 link yes /usr/sbin/usermod root 246
    18. 08/04/2017 13:21:52 /etc/group open yes /usr/sbin/usermod root 247
    19. 08/04/2017 13:21:52 /etc/gshadow.2842 link yes /usr/sbin/usermod root 248
    20. 08/04/2017 13:21:52 /etc/group ? yes ? root 251
    21. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/usermod root 252
    22. 08/04/2017 13:21:52 /usr/bin/passwd execve yes /usr/bin/passwd root 253
    23. 08/04/2017 13:24:06 /var/log/ open yes /usr/sbin/sshd george 275
    


    list authentication logs for today which list root user sshd login and the sudo user = george sshd log
    Code (Text):
    aureport -au -i -ts today
    
    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 86
    2. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 89
    3. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 197
    4. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 200
    5. 08/04/2017 13:24:00 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 261
    6. 08/04/2017 13:24:02 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 262
    7. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 263
    8. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 266
    


    after sudo user = george switches to root user the authentication log where there was a few '/usr/bin/su no' entries (entered wrong root user password so didn't switch) before '/usr/bin/su yes' (entered correct root user password).

    Code (Text):
    aureport -au -i -ts today
    
    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 86
    2. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 89
    3. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 197
    4. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 200
    5. 08/04/2017 13:24:00 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 261
    6. 08/04/2017 13:24:02 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 262
    7. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 263
    8. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 266
    9. 08/04/2017 13:33:01 root ? pts/1 /usr/bin/su no 308
    10. 08/04/2017 13:33:09 root ? pts/1 /usr/bin/su no 310
    11. 08/04/2017 13:33:15 root ? pts/1 /usr/bin/su no 312
    12. 08/04/2017 13:33:47 george ? /dev/pts/1 /usr/bin/sudo yes 318
    13. 08/04/2017 13:34:08 root ? pts/1 /usr/bin/su no 322
    14. 08/04/2017 13:34:23 root ? pts/1 /usr/bin/su no 324
    15. 08/04/2017 13:35:02 root ? pts/1 /usr/bin/su no 333
    16. 08/04/2017 13:35:25 root ? pts/1 /usr/bin/su no 335
    17. 08/04/2017 13:35:31 root ? pts/1 /usr/bin/su no 337
    18. 08/04/2017 13:35:39 root ? pts/1 /usr/bin/su no 340
    19. 08/04/2017 13:35:52 root ? pts/1 /usr/bin/su yes 342
    

    Then as sudo user = george switched to root user, I ran centmin mod command shortcut = customconfig to invoke nano to edit or view /etc/centminmod/custom_config.inc and exited nano afterwards.

    Using auditd's ausearch I searched the auditd log at /var/log/audit/audit.log filtered by auid = auditd UID or original id of the user which for sudo user = george = 1002 so even if you switch to root user, auditd can track by original sudo user's id all commands and filter by timestamp after 13:40 will show that exe=/usr/bin/nano binary opened /etc/centminmod/custom_config.inc file using root user (uid/gid/euid/suid/fsuid etc) but originated from auid=george
    Code (Text):
    ausearch -ua 1002 -i -ts 13:40
    ----
    type=PATH msg=audit(08/04/2017 13:42:26.849:369) : item=1 name=/etc/centminmod/custom_config.inc inode=18678988 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=NORMAL
    type=PATH msg=audit(08/04/2017 13:42:26.849:369) : item=0 name=/etc/centminmod/ inode=18129140 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT
    type=CWD msg=audit(08/04/2017 13:42:26.849:369) :  cwd=/root
    type=SYSCALL msg=audit(08/04/2017 13:42:26.849:369) : arch=x86_64 syscall=open success=yes exit=3 a0=0x1fff560 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x63 items=2 ppid=3229 pid=3230 auid=george uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=nano exe=/usr/bin/nano key=cmm_persistentconfig_changes
    

    and only reason why /etc/centminmod/custom_config.inc is tracked is tools/auditd.sh has custom rule added to track this when setup

    listing all tools/auditd.sh setup rules
    Code (Text):
    auditctl -l
    -w /etc/audit -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp -p wa -k audispconfig
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    -w /etc/ssh/sshd_config -p rwxa -k sshd
    -w /etc/passwd -p wa -k passwd_changes
    -w /var/log/faillog -p wa -k logins_faillog
    -w /var/log/lastlog -p wa -k logins_lastlog
    -w /usr/bin/passwd -p x -k passwd_modification
    -w /etc/group -p wa -k group_changes
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /usr/bin/ssh -p x -k ssh-execute
    -w /etc/sudoers -p rw -k priv_esc
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    -w /etc/hosts -p wa -k hosts
    -w /etc/network -p wa -k network
    -w /etc/sysctl.conf -p wa -k sysctl
    -w /etc/cron.allow -p wa -k cron-allow
    -w /etc/cron.deny -p wa -k cron-deny
    -w /etc/cron.d -p wa -k cron.d
    -w /etc/cron.daily -p wa -k cron-daily
    -w /etc/cron.hourly -p wa -k cron-hourly
    -w /etc/cron.monthly -p wa -k cron-monthly
    -w /etc/cron.weekly -p wa -k cron-weekly
    -w /etc/crontab -p wa -k crontab
    -w /var/spool/cron/root -p rwxa -k crontab_root
    -a always,exit -F arch=b32 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b64 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b32 -S sethostname -F key=hostname
    -a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S sethostname -F key=hostname
    -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -w /usr/local/nginx/conf -p wa -k nginxconf_changes
    -w /usr/local/nginx/conf/phpstatus.conf -p wa -k phpstatusconf_changes
    -w /usr/local/etc/php-fpm.conf -p wa -k phpfpmconf_changes
    -w /usr/local/lib/php.ini -p wa -k phpini_changes
    -w /etc/my.cnf -p wa -k mycnf_changes
    -w /root/.my.cnf -p wa -k mycnfdot_changes
    -w /etc/csf/csf.conf -p wa -k csfconf_changes
    -w /etc/csf/csf.blocklists -p wa -k csfpignore_changes
    -w /etc/csf/csf.pignore -p wa -k csfpignore_changes
    -w /etc/csf/csf.fignore -p wa -k csffignore_changes
    -w /etc/csf/csf.signore -p wa -k csfsignore_changes
    -w /etc/csf/csf.rignore -p wa -k csfrignore_changes
    -w /etc/csf/csf.mignore -p wa -k csfmignore_changes
    -w /etc/csf/csf.ignore -p wa -k csfignore_changes
    -w /etc/csf/csf.dyndns -p wa -k csfdyndns_changes
    -w /etc/centminmod/php.d -p wa -k phpconfigscandir_changes
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    -w /usr/local/src/centminmod -p wa -k centminmod_installdir
    -w /etc/pure-ftpd/pure-ftpd.conf -p wa -k pureftpd_changes
    -w /etc/init.d/memcached -p wa -k memcachedinitd_changes
    

    particular rule was which has a key = cmm_persistentconfig_changes
    Code (Text):
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    

    You can also track/search by keys i.e. cmm_persistentconfig_changes
    Code (Text):
    ausearch -k cmm_persistentconfig_changes -ts 13:40
    ----
    time->Fri Aug  4 13:42:26 2017
    type=PATH msg=audit(1501854146.849:369): item=1 name="/etc/centminmod/custom_config.inc" inode=18678988 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
    type=PATH msg=audit(1501854146.849:369): item=0 name="/etc/centminmod/" inode=18129140 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
    type=CWD msg=audit(1501854146.849:369):  cwd="/root"
    type=SYSCALL msg=audit(1501854146.849:369): arch=c000003e syscall=2 success=yes exit=3 a0=1fff560 a1=441 a2=1b6 a3=63 items=2 ppid=3229 pid=3230 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="nano" exe="/usr/bin/nano" key="cmm_persistentconfig_changes"
    


    Just an example of how powerful auditd can be if you setup the right auditd rules and filters Centmin Mod Auditd Support Added In Latest 123.09beta01
     
    • Informative Informative x 1