We have a requirement to fill that will give us a daily report on all the changes that were made (and who made them) through the SSH protocol; whether it be files or database resources.
Monitoring database actions are no problem with the exception that we have about 4000 queries per second and logging each just to capture queries from a certain user or host requires some planning. But it can be done so I'm okay with this.
We have a few senior developers who have ssh access to production web servers for various reasons. Files can be edited using VIM or other common text-editors such as Pico but a deployment system is suppose to be used instead. We need to watch and report on when the web environment is modified outside of this deployment process.
Our web directory structure is filled with over 5,000,000 different files and folders, some directories have so many files in it, the command "ls" breaks or simply hangs. This is a inherited CRM system but its live production. For this reason, utilities such as ossec hids, inotify or other system/file monitoring processes would require to much resources for real-time monitoring and notification.
Instead of monitoring the file-system, it should be possible to simply monitor the user and watch for when they access files or directories within a defined path as well as record the changes they make.
As for the requirements, we need to present a daily report of all file and database changes made throughout the day (via ssh), and if needed, produce what changes were made (a before & after). The Linux command utility 'script' almost gives us the replay except it doesn't like to work when the user opens certain programs (vim, etc). Another method of recording is needed.
I'm surprised there isn't a bonafide package out there that has an all-in-one real-time terminal-based user monitoring solution; complete with directory path tracking, resource access, modifications with time sliders, event history that can be filtered by host or user (local/ldap/etc).
Or... is there one?
