On 08/09/2012 01:54 AM, Les Mikesell wrote:
On Wed, Aug 8, 2012 at 11:56 AM, Heng Su ste.suheng@gmail.com wrote:
I want to protect the history file from deleted for all users except
user 'root' can do it, is that possible? For my server, many users can log in with root from remote through ssh, so I can not trace which guy do wrong things. So I decide to create new account for every users and let them use 'sudo' then I can trace which guy typed which command and what he did. However, even if I create new account for every user, they also can delete the history of them self easily.
How should I do. I believe everyone encountered such things
normally.
No, it is not a common situation. Normally you should not let anyone you don't trust become root. For fairly obvious reasons...
Let said if you want get low price to set up multiple application servers and outsource different server set up thing to different person on internet. You have to give the root rights to them, maybe you even don't know which command limitation should be given as you are not a master. so just give all permission to them. I think this scenario happens in small company have no enough man power to do it.
I think there is a gracefully solution for it as I am not experience on server manage. So any suggestions for how to trace user like to write down which user did as an audit trail and let it can not deletable exclude root user?
First, why do so many users need the root password? If they are developers testing things, give them their own VM to break. If they are doing a few routine things, make them log in as themselves and use restricted sudo commands (i.e. don't permit 'sudo su -'. In any case, backups are your friend. Keep copies of anything you might need updated with frequent rsync's from a different, more restricted machine - including the log files you might want to track.
previous scenario also applicable, different developer do code updating in server due to above reason. you can not limit such as do not let them user 'cp' or other common commands as I want to know which guy overwrite wrong file. Even two user, I also need to know which one do wrong things.
Thanks for your suggestions.