Re: security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/11/2014 11:38 AM, Dustin Kempter issued this missive:


We've looked in /var/log/messages, and in the /var/log/security file


The /var/log/security file rotates, so make sure you're looking at the
appropriate one. It may have rotated since this occurred.


No smoking gun, only thing we have so far is this:


In the postgres log we see this:
2014-03-07 15:58:09 MST [27223]: [18-1] db=,user=,host= LOG: received
smart shutdown request

Indicating the db received a shutdown request, this can be only run 2 ways:
1) via pg_ctl as the postgres user
2) as a service as root

we looked at the .bash_history file for postgres and see no entries for
pg_ctl
however we do see the service stop command in the root .bash_history
file, but we have no
timestamps in the bash_history file

Are there other log files we can leverage for this search?


The security log should show each time an account is logged in and
from where (IP address). Make sure you're looking at the right file and
you should be able to correlate the time the command was issued with who
was logged in.

There are no timestamps on the history files unless the HISTTIMEFORMAT
shell variable is set. I'd recommend you edit /etc/profile and around
line 53, modify it thus:

    DEFAULT:
	export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL

    MODIFY TO:
	HISTTIMEFORMAT="y"
	export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL HISTTIMEFORMAT

This should put timestamps in the history file for all future logins.

If the user used sudo to become root, that fact should be logged via
syslog unless it was specifically disabled in the /etc/sudoers file.
You should be able to look at the various /var/log/messages* files to
see who did what via sudo.

If security is an issue, you should also look at the various bash
logging options, where every command issued by any user is logged. This
often finds the miscreants. There are simple ways to do this via
modification of the PROMPT_COMMAND variable and there are binary
versions of bash that will log no matter what you do (so root can't
bypass it). Rather depends on how paranoid you are.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- Do not taunt the sysadmins, for they are subtle and quick to anger -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux