Server Fault Asked by AndrewL64 on January 15, 2021
Assuming I give a sys admin temporary ssh (root/sudo) access to my server (Ubuntu 18.04) to assist with an issue, how would I check what changes were made by the person afterwards?
Some of the things I would like to know would include knowing which files were edited, which files were created, which files were opened, etc.
Is their an action log where one could check things like this?
As was mentioned, there is a trust involved when someone has root access to your system. I will make the assumption that the person is at least not hostile.
What I would do is to:
aide, and can tell you what file(s) changed. This will include log files, the shell history file, and any other changes the person made (excepting hostile rootkit type changes which can be hidden). You probably should copy the aide database off the system, just out of paranoia.aide is the most popular open source file integrity monitor. Tutorials (e.g., this one) and lots of information about using it are available. It has an Ubuntu package. There are also commercial solutions.
Answered by Kenneth on January 15, 2021
You could check shell's history, but shell history is easy to defeat. Even just prefacing a command with a space will keep it from being added to history, by default.
To go one step further, research enabling and using pam_tty_audit and shipping those audit logs off to a remote host for review. Commercial tools that do similar auditing would be things like cmd.com.
Answered by Wesley on January 15, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP