5

I'm providing access to third party service through ssh, that service install some packages and do other kind of configuration on my server I want to know which commands or scripts are run by that service, is there any way I can find that.

Third party service is automatic system which do all these package installation and configuration.

Improve this question
4
  • 3
    Installing packages implies that they need root level access. When that is the case it is exceedingly difficult to achieve a 100% guaranteed audit trail of all actions they execute when they are malicious and actively seek to hide their actions and audit trail. Commented Oct 25, 2024 at 9:34
  • 4
    The Linux kernel auditd is the canonical tool for creating such audit logs. See for example unix.stackexchange.com/q/84847/48232 Commented Oct 25, 2024 at 9:45
  • Can you simply deny access, and ask them for their installation script to run yourself ? Commented Oct 26, 2024 at 4:06
  • If they don’t mind you logging everything they do, then likely they are willing to provide the installation script, like Criggie mentioned above. If they do mind, then you would have to design a secure system, otherwise they can easily bypass it and you still won’t get any useful logs. Commented Oct 27, 2024 at 23:19

2 Answers 2

Reset to default
6

Trying to log this with something like bash history is fundamentally flawed, because there are all kinds of ways that users to disable or avoid that, or to edit/delete the .bash_history file.

If you want a record of what they're doing you should set up auditd on teh system, and have the logs sent to a remote log collection server that they have no access to. It's a good few years old now, but this question has some guidance on setting up auditd, and I'm sure you can find plenty of other more recent guides and references.

Improve this answer
2
  • Is there any GUI or something or Auditd, there a lot of auditd logs and reading them is very hard Commented Oct 26, 2024 at 4:24
  • @AzeemHaider depending on how you configure auditd you can reduce the amount of information it logs to focus on what you're most interesting it. But if the logs are too much to manage with a normal text editor or something like grep, then your best bet would be to feed them into something like ELK which gives you much more powerful searching and visualisation. Commented Oct 26, 2024 at 9:36
2

Edit your .bashrc of your (third-party service)'s user.

histappend

If set, the history list is appended to the history file when the shell exits,
rather than overwriting the history file.

shopt -s histappend

To append every line to history individually set:

PROMPT_COMMAND='history -a'

With these two settings, a new shell will get the history lines from all previous shells instead of the default 'last window closed'>history
(the history file is named by the value of the HISTFILE variable)
Improve this answer
2
  • 7
    This is a start but note that this only logs actions when they are made from an interactive login session and nothing when a command is run remotely with for example ssh user@host ls -l - additionally the history is owned by the user who can remove the history file themselves, can exclude commands from history inclusion and you won’t see any of the privileged commands when the user is allowed to run something like sudo -i or sudo su - Commented Oct 25, 2024 at 9:42
  • I checked bash history nothing is there Commented Oct 26, 2024 at 4:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.