Hi,

on a productive system I have a second root-user (remote-admin responsible for a few apps and daemons). via script I allow this user to connect via ssh.

The question is, is there a possibility to "monitor" what this user is doing? a logfile which files has been changed by this user would be fine!

..or any other ideas, how would you solve this?

cheers...

(System is SuSE 10)

If you trust this user so much that you want a log of what they do, why give them root priviledges at all? Have a look into using sudo, it will allow you to choose what they can and can't do and it'll let you log what they do easily

hm, I thought about his, but it seems this would be a lot of work to find out all commands they should be allowed to do.....thought there might be an easy alternativ....

If you trust this user so much that you want a log of what they do, why give them root priviledges at all?
I agree this is the major question, and you should solve that beforehand. If you find accounting at this level a necessity, then you must set up a policy wrt purpose, retention time, privacy issues, etc, etc, inform them of being watched. If you can explain why this is needed and they agree then any responsable admin should have no problem with it.

I'm sure I'm forgetting something, but this should somewhat cover it. This box should be properly hardened. Since there is not much you can do to stop a wheel group/root account user from altering/circumventing any methods you put into place, the first thing to do (after getting agreement) would be to set up remote syslogging. Correlating login times with absence of data means trouble. Of course they should not have access to that part of the infrastructure where the syslog server resides. After that set up a framework to extend logging which the GRSecurity kernel patch can provide. After that you should set up rootsh which can syslog the complete session. Note that parsing>reporting>taking action in relation to the above is something that only takes place *after* the event. Prevention by taking away capabilities and/or denying users access to certain commands using something like RBAC "is left as an excercise to the reader"...


thought there might be an easy alternative
This maybe sounds a bit harsh, but (with all due respect) "easy" implies dropping qualitatively good solutions for lame ones, preferably those that cost virtually no time or knowledge to implement. If there's a distinct need to monitor users then you should invest time to research and tinker. If you want things the "easy" way then please press ALT+F4 repeatedly until poweroff :-]