0

First at all, I have working some years with snoopy and it's not what I need, also checking history file isn't a solution for me.

I have to give ROOT access to a developer to install a program on the server and I know that he will remove history after he exits session.

I need to check what commands he ran to protect server from abuse activity.

Any solution to logging commands?

Dave M
  • 4,514
  • 22
  • 31
  • 30
Nimafire
  • 1
  • 5

2 Answers2

1

You can log all the activity from the users with the psacct package.

  • The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

  • The ac command displays statistics about how long users have been logged on.

  • The lastcommcommand displays information about previous executed commands.

  • The accton command turns process accounting on or off.

  • The sa command summarizes information about previously executed commands.

Installation on RHEL/Fedora/CentOS

# yum install psacct

Installation on Ubuntu/Debian

$ sudo apt-get install acct

OR

# apt-get install acct

In RHEL type the following commands to create /va/account/pacct file and start the service

# chkconfig psacct on

# /etc/init.d/psacct start

In Suse type the following commands to create /va/account/pacct file and start the service

# chkconfig acct on

# /etc/init.d/acct start

Display commands executed by USER

$ lastcomm [USER]
anx
  • 8,963
  • 5
  • 24
  • 48
Alejandro F.
  • 497
  • 3
  • 8
  • This is barely useful. It will only log the main commands not arguments. i.e. `rm` will tell you nothing which file the user deletes. – George Y Sep 07 '21 at 10:52
1

I have to give ROOT access to a developer to install a program ...

No, you don't.
Get them to write down or, better yet, script the installation steps and execute them on their behalf.
This is called Separation of Duties. They are a Developer. You are a SysAdmin. Let them do the stuff that they're good at (writing code, testing, etc.) and you do the stuff that you're good at (keeping machines secure and running efficiently, etc.).

... I know that he will remove history after exit session.

Is this "standard practice" for your organisation? If not, why do they feel the need to do so?

I need to check what commands he run to protect server from abuse activity.

It is clear that you do not trust this Developer.
If that is the case, then you should not let them anywhere near this server.
It's your job on the line if you allow them to install something questionable on there.

Escalate the issue to Management if necessary.

Phill W.
  • 1,479
  • 7
  • 7