Trust, but verify.
Let's say I want to hire someone a sysadmin, and give them root access to my Unix system. I want to disable X windows for them, only allow shell usage (through SSH, maybe), so that all operations they perform will be through the shell (not mouse operations).
I need a tool that will log to a remote server all commands they issue, as they issue them. So even if they install a back door and cover their tracks, that will be logged remotely.
- How do I disable everything but shell access?
- Is there a tool for instantaneously remotely logging commands as they are issued?
Don't give them root. Give them an individual account and place it in sudoers. Every command they launch with sudo will be put into the log. However, sudo power still allows them to clean up the log, and to log in as root with
sudo su -
.The solution is to have the log segregated on another server, with something like syslog-ng. They can turn it off, but their having done so will be recorded and should be a great big red flag. As will
su -
. I'm guessing you can block that in sudoers with a bit of thought.Sudosh2 ( http://sourceforge.net/projects/sudosh2/ ) will do some of what you want. Here's a description from their website:
The user executes a command like 'sudo sudosh2', and then they have sudo.
sudosh2 is a sudo shell which will record all keystrokes and log everything from the user session (input, output, errors, etc). You can replay a user session. This can be quite handy.
sudosh2 supports syslog, and you could send this output to a remote server.
This may not do everything you need, but it could help. Some people also use rootsh, but I don't understand how that compares to sudosh.
In theory you can use a ssh proxy (on a system the person doesn't control) to log all traffic between the host and the system. He ssh to the system, you log all data there and forward the connection to the target server. A local logging daemon breaks the basic principle of not giving a user administrative access to the systems expected to restrict him.
In practice it's more or less impossible to read a command log and figure out if the guy did something bad or not. If you can't trust your system administrators you are screwed. I wouldn't bother trying.
I agree with Matt. If you can't trust them, they shouldn't have root.
For an audit trail, rootsh can be used. You can only allow them to sudo to rootsh. Combined with this and remote logging, it would be slightly more difficult to stop than simply sudo.
For logging everything that somebody types into your console pam_tty_audit is what your after. I'm pretty sure that it logs it output via syslog, so you could just pump that log to another syslog server.
NB, this logs everything, keystrokes (up, down, ctrl, etc) and also will log passwords when they type into password fields.
As many people have said. If someone has root, they have the box. trust is king here. However, to some degree you can get the behaviour you want with sudo. The admin logs in as a normal user, then is allowed to run various commands by doing sudo /path/to/command That's probably the best you're going to get without playing a lot of games.