Hi All
I have a 3rd party vendor who does remote software maintenance on my ERP system.
We are very concerned that a junior tech on their side takes a copy of our database for a "rainy day"
Currently, I only enable their remote access after I have driven to their offices to supervise the technician doing the work and immediately disable it after their are done. (done via my firewall)
While I am likely to continue with this practices for this and other reasons (I caught a tech, just before he was about to run the wrong command to remove temp data.)
The Vendor's management is very frustrated by this arrangement, mainly due to the trouble of arranging times that are convenient for all and then having to cancel at the last moment due to operational requirements.
I am looking for a way to record and audit all command executed on the server over SSH. I know I can look at the Bash History, but that is easily tampered with. I am looking at psacct (process accounting) and it seems to do the required basics that would allow me to open access when required and audit the commands executed afterwards. I will still enable it in a test environment, but I am concerned that the following 2 gaps may exists with it.
1. once the user logs into the MySQL shell, he can send the database to a remote server.
2. I don't know if I can track file transactions done via WinSCP or anoter SCP client.
What I would like to know is if there are any other options for more comprehensive auditing, or any other experience you can share.