I'm looking for a way to track our sysmin work, in the servers. Lets say sysmin 1 and sysmin 2 have access to any server but we need to make sure and track anything that they do in our server.
Something like:
server 1 ---- auditd or history>syslog---|
server 2 ---- auditd or history>syslog------- somthing like log.ly or saas
server 3 ---- auditd or history>syslog---|
Is there any SaaS doing something like this? How do you monitor your friends or sysmin that are working so we could get something like this in a central location:
server 1, on 24-12-2013 12:42:32 user root command : ls
server 1, on 24-12-2013 12:42:32 user root command : cd /home
server 2, on 24-12-2013 12:42:32 user example command : ls
I known services like papertrailapp but they only have syslog that doesn't track bash command of users.
One solution is to force sudo access for all commands. Users log in as themselves and then use sudo to do their activity. If you setup a centralized syslog server you can then monitor all the sudoers entries.
Of course, prickly sysadmins like me will login as themselves and then sudo -i giving a non-logged shell for all subsequent commands. If you want to remove that possibility, you probably need to do so with a written policy rather than a technical solution. Could be tricky to enforce/get buy-in for.