security

Rick Stevens ricks at alldigital.com
Tue Mar 11 19:22:47 UTC 2014 

On 03/11/2014 11:38 AM, Dustin Kempter issued this missive:
>
> We've looked in /var/log/messages, and in the /var/log/security file

The /var/log/security file rotates, so make sure you're looking at the
appropriate one. It may have rotated since this occurred.

> No smoking gun, only thing we have so far is this:
>
>
> In the postgres log we see this:
> 2014-03-07 15:58:09 MST [27223]: [18-1] db=,user=,host= LOG: received
> smart shutdown request
>
> Indicating the db received a shutdown request, this can be only run 2 ways:
> 1) via pg_ctl as the postgres user
> 2) as a service as root
>
> we looked at the .bash_history file for postgres and see no entries for
> pg_ctl
> however we do see the service stop command in the root .bash_history
> file, but we have no
> timestamps in the bash_history file
>
> Are there other log files we can leverage for this search?

The security log should show each time an account is logged in and
from where (IP address). Make sure you're looking at the right file and
you should be able to correlate the time the command was issued with who
was logged in.

There are no timestamps on the history files unless the HISTTIMEFORMAT
shell variable is set. I'd recommend you edit /etc/profile and around
line 53, modify it thus:

     DEFAULT:
	export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL

     MODIFY TO:
	HISTTIMEFORMAT="y"
	export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL HISTTIMEFORMAT

This should put timestamps in the history file for all future logins.

If the user used sudo to become root, that fact should be logged via
syslog unless it was specifically disabled in the /etc/sudoers file.
You should be able to look at the various /var/log/messages* files to
see who did what via sudo.

If security is an issue, you should also look at the various bash
logging options, where every command issued by any user is logged. This
often finds the miscreants. There are simple ways to do this via
modification of the PROMPT_COMMAND variable and there are binary
versions of bash that will log no matter what you do (so root can't
bypass it). Rather depends on how paranoid you are.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- Do not taunt the sysadmins, for they are subtle and quick to anger -
----------------------------------------------------------------------

More information about the users mailing list