Trust, but verify.
Let's say I want to hire someone a sysadmin, and give them root access to my Unix system.
I want to disable X windows for them, only allow shell usage (through SSH, maybe), so that all operations they perform will be through the shell (not mouse operations).
I need a tool that will log to a remote server all commands they issue, as they issue them. So even if they install a back door and cover their tracks, that will be logged remotely.
- How do I disable everything but shell access?
- Is there a tool for instantaneously remotely logging commands as they are issued?
Best Answer
Don't give them root. Give them an individual account and place it in sudoers. Every command they launch with sudo will be put into the log. However, sudo power still allows them to clean up the log, and to log in as root with
sudo su -.The solution is to have the log segregated on another server, with something like syslog-ng. They can turn it off, but their having done so will be recorded and should be a great big red flag. As will
su -. I'm guessing you can block that in sudoers with a bit of thought.