How to best track adventures of a novice administrator

Question

I have this user that has limited sudo privileges, yet he manages to screw up from time to time. I would like to keep an eye on his adventures, so that I can reverse any damage with less digging. Ideally, I'd want a service with the following functionality being well integrated and presentable

Tracks shell input and output like ttyrec (or script or sudo if logging is set up) and can replay the session like ttyplay (or scriptreplay or sudoreplay) Compatibility with ncurses programs would be nice, but not necessary, ttyrec can do it apparently.
Tracks file access, creation and modification. Ideally, it could also backup a file each time it is changed or deleted.

So far I have found several tools that I would have to set up to get most of the requested functionality, but I haven't come across an OSS product that would integrate them nicely (Lynis community edition isn't really clear on the functionality).

I could put ttyrec $(mktemp), script $(mktemp) or sudo -u $USER -i (with sudo logging set up) in his .bashrc to log the shell IO.
Set up auditing to track file access in some dirs, like /usr, /etc, /var.
Create a LVM snapshot when he logs in, but that is a bit of an overkill and might degrade system performance.

EDIT: ttyrec seems to be a better alternative to script, it would satisfy all my IO logging requirements. Now I need to find a good way to log file manipulation.

I'll be grateful for any suggestions or recommendations of best practices.

Hint: In some countries this may not be legal without the permission of the user. — Cyrus, Aug 26 '15 at 07:34
@Cyrus thank you for the reminder, he would know about it. It's more about finding a less intrusive and more automatic way than to ask him to remember to always run everything in a `script` session. It's not about spying on him, but about giving him assurance that his mistakes can be back-tracked. — Ondřej Grover, Aug 26 '15 at 08:00
@dr01 ideally yes, I would do the administration for him. But that is not always possible. He doesn't always screw up, I just need to set up a safety net. — Ondřej Grover, Aug 26 '15 at 08:19
Also [keep configuration in VCS](https://help.ubuntu.com/lts/serverguide/etckeeper.html). — muru, Aug 26 '15 at 08:49
us 'inotify` to watch directories, have a read into [acct](https://packages.debian.org/wheezy/acct) package for more user accounting. As there is no single program for this, you'll have to tie it together yourself it would seem, and if you do, release back to the community :) — gwillie, Aug 26 '15 at 09:01
Flaged to delete because this is not legal in most cases and unethic. — buhtz, Oct 03 '16 at 12:33

score 2 · Answer 1 · answered Nov 02 '16 at 09:30

Perhaps you could encourage your admin to use good logging practices. Gnu Screen does this quite nicely. It adds quite a bit more functionality than you're looking for, and also has the ability to toggle logging, so he could turn it off himself, if he desired. It lacks the replay functionality, but it could be part of a solution, in that it tracks most input and output when logging is on.

In your use case, you would want to add deflog on to the screenrc file to have new windows default with logging on.

This has the disadvantage of being toggleable by your user however.

You can accomplish the file monitoring using Monit, which watches file checksums for changes, and can also check conditions of various services. Combine this with something like a rsync on a cronjob (since you should have something like that anyways) and you have a fairly solid idea of exactly what's going on on the server, especially if you turn on really tight timestamps in screen and trust your user not to fiddle with the logging settings.

By combining these tools, you should have a fairly robust and lightweight system that lets you keep a decent eye on your user while ensuring a basic level of salvageability.

How to best track adventures of a novice administrator

1 Answers1