On Wed, Jun 5, 2013 at 9:19 PM, Νικόλαος Κούρας <nikos.gr...@gmail.com> wrote: > Τη Τετάρτη, 5 Ιουνίου 2013 2:14:34 μ.μ. UTC+3, ο χρήστης Heiko Wundram έγραψε: >> Am 05.06.2013 13:07, schrieb οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½: >> >> >Btw, since history doesnt show me his history comamnds when he logged in >> >from .au(why not really?), how can i tell what exactly did he do when he >> >logged on to the server? > >> As root has full access to your system (i.e., can change file contents >> and system state at will), and you gave him root access: you can't. And >> he made sure to remove things such as .bash_history and the syslog >> contents, I guess. At least that's what I'd have done to prove a point.
In fact, I didn't even bother fiddling with syslog. All I did was .bash_history. Of course, I wasn't worried about you getting my IP addresses (one of them is public anyway, and the other isn't mine any longer than I'm using it), and nothing I did there was sufficiently serious to be worth hiding, but I just did the history so I could point out how easy this is. > I see. Thanks. > Is there some logging utility i can use next time iam offering root access to > someone(if i do it) or perhaps logging a normal's account activity? You could log a normal user fairly easily, because root trumps normal users. To log root access, there are a few options: 1) Don't actually give unrestricted roots, but require the use of sudo, which logs. Not 100% perfect unless you actually restrict the commands that can be executed, but it'd at least let you have some idea that things were tampered with. 2) Provide a special bouncer. This is a little complex to describe, so bear with me. Imagine you have *two* computers, WebHost and Bouncer. You want to give root access to WebHost, so you invite someone to ssh to webroot@bouncer - the shell of that user establishes a secondary connection to root@webhost and passes everything on, but also logs it. Since *no* access to Bouncer has been granted, the logs can't be tampered with. This can be complicated to set up and secure, but it's certainly possible. However, I think it is beyond your ability, at least at the moment. 3) Provide a hacked-up root shell that logs to a network location, and disable all other shell usage. Imperfect but would probably work. 4) Require that all root shell access be done through screen/tmux, and monitor it. You can probably think of a few others, too. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
