security

[Mark Haney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 03/11/14 13:30, Dustin Kempter wrote:
> Hi,
> 
> we have a server (CentOS 6.4) running PostgreSQL, recently someone
> shut the db down and we want to find out who did this...
> 
> I see the db shutdown request in the postgresql log, and I suspect
> it was run as root (as a service) because we do not see any
> relevant shutdown commands in the postgres user's bash history
> file
> 
> Can someone point me in the right direction per figuring this out,
> who ran the command (I suspect it was root)? If so, where did the
> offending login come from (I.P.)? etc...
> 

My first thought is how is that server accessed?  SSH?  Telnet?
Physical access?  If you know the ways it can be accessed, then you
can focus on logins.  Can you tell us what ways it can be accessed? If
it was run as root, that's a concern.  It limits you to who has either
sudo access (you /do/ have root ssh access disabled, right?) or
physical access to the machine.  I'd look in the logs specifically for
sudo calls.

Is it possible postgres was configured with a threshold that, when
reached, would trigger a db shutdown?  Say a stored procedure?  You
should check /var/log/secure, that tells you (if configured, which our
CentOS 6.5 postgres server is) what IP logged in and how.

HTH.


- -- 
Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTH0u/AAoJEM/YzwEAv6e79zEH/2pmnyXVG578uDksRnrkMPK2
0td37zDE++ELJbteHSAPbkbWy5K93bFp/3FO1618RnDmfG6qK+LIW7Ymm9A8RClv
ygLs442G50coi4abdyplyEb/zltypCsVLZABYOVfDQ/l1Pqth2/WCEDdQOLyJibI
TwBv+POy6jKKnhTvfZO9W7zByf2a4Ofv6gYyN8ya8NpHnVmzGzm1VJNJfuQ3Dbbh
2BLXDwpzXXUlsal0eMhPNJ9seKIM2sOGtYOsRj+NvfIylcmSCaiPpT2TeRV3WE/0
t1U2cyNy5XPiGI8sSVMz9SLigzp3kayB+AaLGi0SxBZQIAqCWTMtWE+UutWPD7c=
=57vJ
-----END PGP SIGNATURE-----