2

I'm looking for a way to track our sysmin work, in the servers. Lets say sysmin 1 and sysmin 2 have access to any server but we need to make sure and track anything that they do in our server.

Something like:

server 1 ---- auditd or history>syslog---| 
server 2 ---- auditd or history>syslog------- somthing like log.ly or saas 
server 3 ---- auditd or history>syslog---|

Is there any SaaS doing something like this? How do you monitor your friends or sysmin that are working so we could get something like this in a central location:

server 1, on 24-12-2013 12:42:32 user root command : ls
server 1, on 24-12-2013 12:42:32 user root command : cd /home
server 2, on 24-12-2013 12:42:32 user example command : ls

I known services like papertrailapp but they only have syslog that doesn't track bash command of users.

colealtdelete
  • 6,009
  • 1
  • 29
  • 34
Adam Ramadhan
  • 173
  • 1
  • 2
  • 9

1 Answers1

0

One solution is to force sudo access for all commands. Users log in as themselves and then use sudo to do their activity. If you setup a centralized syslog server you can then monitor all the sudoers entries.

Of course, prickly sysadmins like me will login as themselves and then sudo -i giving a non-logged shell for all subsequent commands. If you want to remove that possibility, you probably need to do so with a written policy rather than a technical solution. Could be tricky to enforce/get buy-in for.

dmourati
  • 24,720
  • 2
  • 40
  • 69