On 12/20/2016 05:38 PM, Rick Troth wrote: > On 12/19/2016 09:12 AM, Michael MacIsaac wrote: >> We cannot SSH as root in our organization which is good for preserving >> audit trail because all users must use their own credentials. > And that's a GOOD thing. > Many customers either don't know this method (and why would they?) or > don't like it (because it's an added step, annoying). Security isn't > easy and isn't exactly fun.
Note that SSH does log which credential has been used. It prints the fingerprint of the key being used. If you use certificates, it prints the name embedded in it. Obviously it does not work with shared secrets like passwords. So there is a way to trace connections back to a user even if a target account is shared among multiple ones. > Both 'su' and 'sudo' are logged. That's your audit trail. But commands executed from su and when sudoing to a shell (be it with -i/-s or directly) are not logged. So there's no real audit trail. If you are serious about audit on-machine actions, I'd suggest looking at auditd. This allows tracing execve invocations, for instance. There are also ways to let the shell log its actions, or to use PAM modules like pam_tty_audit, which log all keystrokes in an interactive session. sudo also supports LOG_INPUT/LOG_OUTPUT for I/O logging. But for this you'd want it to be enforced and not sidestepped using su instead of sudo. If you don't necessarily want to rely on the sensitive machines doing that, you can also introduce bastions that log all of their input/output and that are the only way to contact the sensitive machines behind them as a jump host. Kind regards Philipp Kern ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
