Best practice for providing server admin contractor with root access (on CentOS)?

Solution 1:

One option is to use system configuration tools like puppet, so they can explicitly outline what is to be done to the server. Of course, that requires someone to review their work before it be applied.

The other option is to set up a network syslog service. By forwarding logged messages to another server they don't control, you can at least guarantee the integrity of logs. Make sure the system records logins / logouts and ideally, restrict access to sudo so all root commands can be sourced to specific user. Again, this server needs to be root accessible only to as few people as possible.

Solution 2:

Technical Solution: Image the server so you can compare after the fact what changes were made. Keep this copy away from them.

Political Solution: Have them sign a Statement of Work and hire contractors you can trust.

Solution 3:

As you can stop him from doing whatever he want, you should monitor the system. Best way to do it is to export the logs to an external location and use an HIDS (host intrussion detection system).

You could use splunk and OSSEC together and monitor sudo use by the administrator.

OSSEC will also notify of filesystem changes and installation of packages.

Solution 4:

What you're asking for is difficult under normal conditions. You've already indicated that they know more than you do, so it's approaching practical impossibility to monitor them when they have equivalent privs to you. ( Do they actually need full privs? Maybe not. )

If these people aren't someone you trust, you really shouldn't be working with them. As matt.j.alexander rightly pointed out, this is not a technical problem.

Quality sysadmins are hyper-concerned about their reputations for this very reason. I keep my nose clean, because there's so much implicit trust required for me to do my job. If I loose that personal trust, it's a serious career issue.