1

One of our suppliers needs to debug a problem with an application by logging remotely into one of our servers. They'll need to have root access, which I plan to provide via ssh and sudo.

I generally trust the supplier, or I wouldn't consider it, but I'd like to have some logging of their actions.

I tried installing sudosh, but couldn't get it to run due to segmentation faults. A search turned up some hacks and tips, but no serious options.

How can I log all shell input output that a user or sudo creates?

Martijn Heemels
  • 7,728
  • 7
  • 40
  • 64

3 Answers3

2

sudo does some logging. You can also limit what commands they can use. You can use the logging capability of screen (plus its multi display mode). You can even use my Bash logging functions. A combination of these will provide layers of insurance.

Ultimately, it's difficult to prevent a user with root privileges from bypassing stuff like this, so be wary.

Community
  • 1
Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
  • 1
    Yes, sudo's logging is a bit to limited, since it doesn't log when people start a login shell via 'sudo -i'. Something like screen or bash that logs all standard in and out, and starts automatically would be fine. Im aware how easy it is to circumvent, but don't expect them to do that. It's more for documentation purposes. – Martijn Heemels Jan 04 '10 at 14:41
  • +1 for mentioning "screen". – oz10 Jan 04 '10 at 16:14
1

Could you not share access to your desktop via something like vnc or an alternative and have them access the console via your machine. That way you can sit and watch and see exactly what they are doing?

Gareth Williams
  • 41
  • 5
  • I've done this in the past. It's a pretty good way to do it, tbh. You can also terminate their session if they start to do naughty things. – Tom O'Connor Jan 19 '10 at 09:18
1

script will "make typescript of terminal session"

seems to record everything, which could be handy, but does fall apart slightly if you're using VIM or other things that mangle the VT.

The other thought that jumps to mind, is to give the contractor login details for a 'completely safe account' (eg one without any permissions) and have him run screen -x to attach to an already running root shell (that you've set up and are keeping an eye on). -the contractor never needs to know root passwords or have access to sudo and you can watch (and record using script) anything that they do.

BuildTheRobots
  • 842
  • 5
  • 11