Server security - monitoring logons and changes

[psydT0ne]

Hey guys,

Hoping people can help.

I'm not a system administrator by any stretch of the imagination but I am an admin for a particular piece of corporate software.

Lately we've been having some major issues with things going arse-up on the software server and I suspect that a member of our "team" has been screwing about with settings and things for malicious reasons.

Is there software out there that would allow me to log the users that have been access the server and the changes (if any) that they made?

Any suggestions or insights would be great.

Cheers,

M

[digip]

What is the software used to login? Is it web based? If its a form, you can add some code to the login page, to just capture the usernames, with timestamps. I do this with a wordpress plug-in I wrote. I also implemented a full on honeypot for peopel tyring to brute force the site, so I get not just the usernames, but also the passwords they tried to use, IP, etc, but thats a whole other thing it itself.

Anyway, if its a work intranet site that they login through, and you can edit the page, I'd try hooking the form and just timestamping user logins to a log file, no passwords needed to violate user privacy, etc. Then just compare when things go funky and check what time the last person was that logged on.

If its all server software type stuff, you'd have to look into the software itself to see if it has monitoring features, or go drastic and use some packet sniffing which may not be the best way to handle it and could also be against company policy, laws, etc.

Last suggestion, confront the individual with small talk, be tactful, and try to work the question in of asking them if they did it. If you're good at reading people, you will probably be able to tell if they are lying. Other way, lock them out, see if it continues, then unban them if it does and it wasn't them. Thats pretty drastic of a step, but works to eliminate them from he list of potential people messing with it.

[Jason Cooper]

Also if it is a web service running through apache or similar then you can always go and check its access logs to see who accessed what pages and when. Depending on the authentication method used you may or may not have usernames listed with the access, but you should have IP addresses listed which should help you narrow it down to a specific machine.

If It does run through apache or similar but the system doesn't have any access controls built in then you can always add them in at the apache stage (if you have a directory service like Active Directory or LDAP then you can configure apache to authenticate users against that). That way the username should appear in the logs as well as the other details.

If the service isn't web based but on a server that people are physically logging into then you should be able to check the file that has changed to get the date and time it changed then look through the machines logs to see who was logged into the server at that time.