I am hiring a freelance Server Admin (who is more experienced than me – that's why I am hiring them) to do some work on my CentOS-running VPS. They will require root-level access to the server, as they need to install server daemons and such.
What's the best practice in this scenario: how can I identify if the contractor goes and install root kits or does something otherwise nasty? What I have done is created a new account for the user, added the new account to group "wheel", and then used visudo to enable the group wheel to run all commands.
Are there any other steps I should be taking? I accept that by handing over sudo privileges the contractor could pretty much do whatever they want and the end of the day I need to trust them; I guess I at minimum want to make sure I have a record of whatever they do, just in case.
Thanks
Best Answer
One option is to use system configuration tools like puppet, so they can explicitly outline what is to be done to the server. Of course, that requires someone to review their work before it be applied.
The other option is to set up a network
syslogservice. By forwarding logged messages to another server they don't control, you can at least guarantee the integrity of logs. Make sure the system records logins / logouts and ideally, restrict access to sudo so all root commands can be sourced to specific user. Again, this server needs to be root accessible only to as few people as possible.