finding changes made to configurations
Hi, I wanted to know if on a server 2-3 people have SSH access and one of the person does some changes and leaves the job. Is there any tracking tool which can track what things were installed or what changes were made by team individuals at a later date. -- http://mightydreams.blogspot.com -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: finding changes made to configurations
On Thu, 2011-03-03 at 20:35 +0530, Tapas Mishra wrote: Hi, I wanted to know if on a server 2-3 people have SSH access and one of the person does some changes and leaves the job. Is there any tracking tool which can track what things were installed or what changes were made by team individuals at a later date. -- http://mightydreams.blogspot.com This is a very vague question. If you are talking about system admins: you can use etckeeper to track changes in /etc/ (system configuration files). -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: finding changes made to configurations
On Thu, Mar 3, 2011 at 8:44 PM, Steven Miano mian...@gmail.com wrote: Did they clear out their history? /home/user/.bash_history would seemingly be a pretty good place to start. Also you could check out their username in /var/log, and see all instances of what they might have done .bash_history will not tell you what change was made exactly. It will tell you which file was opened.But inside that file what was modified it wont tell you. I am looking not only to track the exact change which might be in a location other than etc also if some kind of script or .so file or some thing similar was added. One way I understand is do an ls on / and store the result in a file and then after the changes have been done where some files are delete again do an ls on / (root) and compare the results to what files are added or deleted. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: finding changes made to configurations
On 2011-03-03 22:30:24 Thu, Tapas Mishra wrote: One way I understand is do an ls on / and store the result in a file and then after the changes have been done where some files are delete again do an ls on / (root) and compare the results to what files are added or deleted. This sounds a lot like AIDE. debuntu.org has a tutorial on how to get that rolling in Ubuntu: http://www.debuntu.org/intrusion-detection-with-aide Hope that helps, Paul -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: finding changes made to configurations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/2011 09:05 AM, Tapas Mishra wrote: Hi, I wanted to know if on a server 2-3 people have SSH access and one of the person does some changes and leaves the job. Is there any tracking tool which can track what things were installed or what changes were made by team individuals at a later date. I love the file integrity checks from OSSEC. - -- Compugraf -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1wLZsACgkQxXSEIijkBjK9/gCfSmimq6ht6EUzL/Tea4KHU4Q5 RRAAnidlB+DFoVfWk5YBSdMrRmHVemPX =QnBS -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam