[olug] Sharing root priv, tracking what other root does

[David Walker]

I patch bash to log every command to syslog and then have it syslog across the 
network.  Especially nice for machines you don't log into very often.

If they're trying to be sneaky they can run a different shell but at least the 
evidence that they are trying to be sneaky will be there.

On Wednesday 10 December 2003 09:22 pm, Christopher Cashell wrote:
> At Wed, 10 Dec 03, Unidentified Flying Banana netsaint at cox.net, said:
> > I'm looking for a way to track what another root user does on a
> > sensitive Linux server that I have had exclusive control of.
> > Recently, I was strong-armed into giving root access to another.
>
> It's always frustrating when this happens. ;-)
>
> > Prior to sharing control I made it very clear, you break it and I
> > kill you'!  When this new root user breaks it, and he/she/it will, I
> > should be able to recover nicely using AMANDA.
>
> Good call.  Always be ready for when the new guy screws up. ;-)
>
> > Perhaps my emphatic statement was enough, to date, he/she/it has not
> > attempted to login as root.  ;-)
>
> Well, that's a good sign.  Perhaps he knows that root should be used as
> rarely as possible.
>
> > Any of you admins have experience in anything?  If so, how did you
> > remedy it?
>
> One thing I've used, is to "require"[1] that all root commands be run
> via sudo.  sudo defaults to logging all use.  It's not a perfect, nor
> foolproof, solution, but it could help a lot.
>
>
>  [1] Obviously, there's no real way to force this requirement. . . if
>      you give out full access to sudo, then there are numerous ways to
>      get around the command logging ('sudo -s' being the easiest, which
>      runs a shell as root).  However, if other administrators agree to
>      abide by using sudo, it can be very effective.