1

Sometimes we have contract developers that need to do work on the server (via ssh or sftp) and I've been looking for ways to monitor what they do on our Debian based server. We have ways of limiting access (restricting access by IP) so they only have access when we have them working on something but we would like to be able to monitor sessions in a way that we can see what they did (possible on desktop but I'm not sure if this is possible on a Linux server).

Sometimes contractors need privileged access to troubleshoot problems which may mean they can change nginx configs or modify databases. Privileged access also gives them the ability to add malicious code (logic bombs, etc) or break stuff by accident without knowing what they did to break it.

LXD isn't a good enough option because it doesn't monitor key entries and the resources contractors need access to (entire php web application stack) is the asset. So if they break it, we have to switch to a backup web server anyway. While chroot can be used to limit what the user can do, it's not a monitoring tool.

The history file in Linux can be modified by the user and even if it couldn't be modified, it doesn't show commands run after entering a prompt (like after entering mysql or opening a file). Adding git to the root of the system has the same limitations.

We have a server that has the production database and native scripts for the website that we can quickly switch to in an emergency. But without a way to inventory who's had access AND exactly what they have done, tracing blame or even defining what was done is a nightmare.

Options I've Looked at:

  • This option acts as an authorized MIM and records ssh session info on a proxy server. This is very similar to what I was saying would be ideal in my comments. I haven't tested this yet.
  • Similar option by ezeelogin but like the above option, i don't see a way to manage file changes over sftp so i'll have to test to find out if this is supported.

What solutions are available for this?
Are there any reliable key-loggers that can be used for this?
Are there any enterprise solutions for this?

Improve this question
6
  • 1
    It's worth reading law #6 of the ten immutable laws of security: marshall.edu/it/departments/information-security/…
    – Conor Mancone
    Commented Sep 19, 2019 at 19:20
  • 1
    @ConorMancone, "A computer is only as secure as the administrator is trustworthy"...the circumstances facing the people you can trust today, might change such that you can't trust them tomorrow. If a logging solution exist for this, at least I'll be able to record every move they make all the way up to the point they write a FW rule to block my remote monitoring scripts, or whatever else, at which point i can kill their connection via the cloud firewall, shutdown the host, and investigate.
    – jtlindsey
    Commented Sep 19, 2019 at 19:38
  • Don't get me wrong - I'm all for putting in logging and security where you can. However, if you're talking about root it is still quite tricky. After all, if they realize you are logging them, they may very well be able to delete/modify the log. Unless you are talking about "live" logging, aka actively monitoring what they are doing. Even that is not entirely fool proof. Either way, if you want to log everything they do, you should make sure the log is being saved in an external system live, and is uni-directional.
    – Conor Mancone
    Commented Sep 19, 2019 at 19:49
  • unidirectional meaning that the log is sent from the server to your logging system, and, the logging system being external, the server has no ability to modify/delete anything from the logging system.
    – Conor Mancone
    Commented Sep 19, 2019 at 19:50
  • I agree. A lot of the methods I've looked at are not fool proof. Definitely looking for live logging and the logs being remote. I feel like the most ideal solution would be like an ssh tunnel proxy and the proxy records every key stroke on its way through the tunnel. Something similar to how LFCS exams are performed through. And for sftp it would simultaneously write the files sent to the intended destination as well as to a files log directory on the proxy server. I feel like this has to be possible.
    – jtlindsey
    Commented Sep 19, 2019 at 20:04

1 Answer 1

Reset to default
1

Two different approaches could be used.

File integrity monitoring.

Host based intrusion detection software such as AIDE can be configured to record hashes of important files on the system and then perform periodic scans to report on files that have changed. In your case, if the contractors sometimes have root access, some steps would need to be taken to ensure they could not modify the hashes to avoid changes being detected.

Audit logging

The Linux auditd Daemon can be configured to log all commands run by an administrator. As described in this question; In https://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers

In this case it would be wise to use syslog to send the logs to a remote server that the contractors do not have access to in order to prevent them tampering with the logs.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .