[olug] Sharing root priv, tracking what other root does
    Christopher Cashell 
    topher at zyp.org
       
    Thu Dec 11 03:22:40 UTC 2003
    
    
  
At Wed, 10 Dec 03, Unidentified Flying Banana netsaint at cox.net, said:
> I'm looking for a way to track what another root user does on a
> sensitive Linux server that I have had exclusive control of.
> Recently, I was strong-armed into giving root access to another.
It's always frustrating when this happens. ;-)
> Prior to sharing control I made it very clear, you break it and I
> kill you'!  When this new root user breaks it, and he/she/it will, I
> should be able to recover nicely using AMANDA.
Good call.  Always be ready for when the new guy screws up. ;-)
> Perhaps my emphatic statement was enough, to date, he/she/it has not
> attempted to login as root.  ;-)
Well, that's a good sign.  Perhaps he knows that root should be used as
rarely as possible.
> Any of you admins have experience in anything?  If so, how did you
> remedy it?
One thing I've used, is to "require"[1] that all root commands be run
via sudo.  sudo defaults to logging all use.  It's not a perfect, nor
foolproof, solution, but it could help a lot.
 [1] Obviously, there's no real way to force this requirement. . . if
     you give out full access to sudo, then there are numerous ways to
     get around the command logging ('sudo -s' being the easiest, which
     runs a shell as root).  However, if other administrators agree to
     abide by using sudo, it can be very effective.
-- 
| Christopher
+------------------------------------------------+
| A: No.                                         |
| Q: Should I include quotations after my reply? |
+------------------------------------------------+
    
    
More information about the OLUG
mailing list