How log commands executed by user

bash linux logging audit

First at all, I have working some years with snoopy and it's not what I need, also checking history file isn't a solution for me.

I have to give ROOT access to a developer to install a program on the server and I know that he will remove history after he exits session.

I need to check what commands he ran to protect server from abuse activity.

Any solution to logging commands?


Solution 1:

I have to give ROOT access to a developer to install a program ...

No, you don't.
Get them to write down or, better yet, script the installation steps and execute them on their behalf.
This is called Separation of Duties. They are a Developer. You are a SysAdmin. Let them do the stuff that they're good at (writing code, testing, etc.) and you do the stuff that you're good at (keeping machines secure and running efficiently, etc.).

... I know that he will remove history after exit session.

Is this "standard practice" for your organisation? If not, why do they feel the need to do so?

I need to check what commands he run to protect server from abuse activity.

It is clear that you do not trust this Developer.
If that is the case, then you should not let them anywhere near this server.
It's your job on the line if you allow them to install something questionable on there.

Escalate the issue to Management if necessary.

Solution 2:

You can log all the activity from the users with the psacct package.

  • The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

  • The ac command displays statistics about how long users have been logged on.

  • The lastcommcommand displays information about previous executed commands.

  • The accton command turns process accounting on or off.

  • The sa command summarizes information about previously executed commands.

Installation on RHEL/Fedora/CentOS

# yum install psacct

Installation on Ubuntu/Debian

$ sudo apt-get install acct

OR

# apt-get install acct

In RHEL type the following commands to create /va/account/pacct file and start the service

# chkconfig psacct on

# /etc/init.d/psacct start

In Suse type the following commands to create /va/account/pacct file and start the service

# chkconfig acct on

# /etc/init.d/acct start

Display commands executed by USER

$ lastcomm [USER]

Related

Easiest/best way to only allow certain IP ranges for access
Python Import Error - No module
SoftEther VPN has very slow download, while upload is high
Support with configuring bind9 DNS server for a private network
How to kill a process running under SYSTEM account in the Windows Server?
SSH public key authentication with google authenticator still asks for password
Websites getting down every day on VPS Server
Can varnish serve from a port and clone the request to another port?
How add SSL/443 to Apache server without virtual host?
Nginx sending 301 when using proxy_pass
Run inotifywait in background
What do the dialogue in the "visual novel" monsters mean and what do they allude to?