Get notification each time someone uses apt-get install or changes files in /etc/


Answer: 1

15 hours ago

I manage a couple of servers where several users have sudo rights.

It works like this by design. These are development servers and users need to be able to update / install software and configure it. There are strict rules for it but it's not enough.

This is a problem to the server management team because whenever something goes wrong one has to clean up and make it work again.

Is there a way of being notified each time someone install a package and/or changes /etc/ files?

I googled, but the only thing I get out of this search is apticron, which is not exactly what I am looking for.

This would be really helpful since it would allow in one hand to control abusive installs and in the other hand quickly track what was done and revert it if needed.

Any other suggestions that might help in handling this are welcome.

Added by: Arvid Carroll

Answer: 2

5 hours ago

In "vanilla" (no additional software downloaded) you would have to write a script that monitors the /var/log/auth.log file. Any time a user uses "su" to become root or any other user, an entry is made here with their UID:

Apr 24 04:32:57 Hostname sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

This would tell you who became root and when. Then you would also be able to parse through each individual users' bash history (stored in the home directory at /home/user/.bash_history. In the end your script would look something like:

for name in $(awk --field-separator=":" '{print $1}' /etc/passwd); do echo $name >> /var/log/report; cat /home/$name/.bash_history | grep -i "apt install" >> /var/log/report; done

You could also just as easily replace "apt-install" with "sudo" to see all instances of the sudo command being run, but this script would save you the time in seeing who installed programs. If they were using "su" to become root, you would need to take the additional step of tying it to a timestamp and UID in the auth.log file. So long as your devs don't have that access and can only run sudo, it shouldn't be necessary (but all of this falls flat if one of your devs modifies their bash history)

As for monitoring the entire /etc directory, my recommendation would be to look explicitly at timestamps. Whenever a modification is performed on a file (something actually changes/the file is written), the timestamp in ls -l gets updated:

-rw------- 1 user user 32500 Apr 24 04:25 .bash_history

The script for this would be a little more complex, as it would need to recurse through directories, requiring it to also incorporate logic to determine whether an item is a directory. Recursion aside, though, it would be looking at fields 6,7,8 of the ls-l output, ideally running once at the end of the day, and checking whether the timestamp is equal to the day's date. If it is, it would jot down which files were changed or created.

Added by: Colleen Fay

Popular Search

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9