Sunday, March 1, 2015

linux - Best practice for providing server admin contractor with root access (on CentOS)?



I am hiring a freelance Server Admin (who is more experienced than me - that's why I am hiring them) to do some work on my CentOS-running VPS. They will require root-level access to the server, as they need to install server daemons and such.




What's the best practice in this scenario: how can I identify if the contractor goes and install root kits or does something otherwise nasty? What I have done is created a new account for the user, added the new account to group "wheel", and then used visudo to enable the group wheel to run all commands.



Are there any other steps I should be taking? I accept that by handing over sudo privileges the contractor could pretty much do whatever they want and the end of the day I need to trust them; I guess I at minimum want to make sure I have a record of whatever they do, just in case.



Thanks


Answer



One option is to use system configuration tools like puppet, so they can explicitly outline what is to be done to the server. Of course, that requires someone to review their work before it be applied.



The other option is to set up a network syslog service. By forwarding logged messages to another server they don't control, you can at least guarantee the integrity of logs. Make sure the system records logins / logouts and ideally, restrict access to sudo so all root commands can be sourced to specific user. Again, this server needs to be root accessible only to as few people as possible.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...