I have not known in which sub-forum must posted this topic.
I have web hosting service. I am my own admin. If i employ a second linux and server admin ,mybe he change the linux os with his own compiled and he change core or other linux files for spying and hack! If he insert keyloger or clipboard graber or spying file as default manner of core or a linux file, then antivirus can not find any problem. How we can prevent this?
Please note: I had Linux Debian OS in my computer i installed an application that was a legal keylogger and clipboard grabber. I saw it detect root password and save it and save clipboards contents in a text file!!! when i used several anti-viruses they could not find any problem and all said system is OK!!!!!!!!!!!!!!!!!! That was only an application if a person compile or insert a Linux OS file that has ability of keylogging or clipboard grabbing generic anti-viruses can not find that. We must give root access to our system admins, for example in a large company is thousands Linux web servers we want detect clipboard and keylogging acts even if defied as legal linux core files act. Is there any solution? Please help. Thanks
Hi fuic fuic,
May we know if you’re using Sophos endpoint enterprise or a trial version? The only way that we would be able to block the keylogger application is if it's malicious in nature or actually contains malware. If the application is legitimate, however, you may want a type of application control on the Debian server. At the moment we don't have this feature implemented but you can submit a feature request here [Feature Requests (sophos.com)] if this is something that you would like to see in the future.
fuic fuic said: ,mybe he change the linux os with his own compiled and he change core or other linux files for spying and hack!
I think you need to hire good people or work through your trust issues (maybe both).
Otherwise, EDR will let you query the endpoint or XDR will journal the activity and let you retrospectively query for malicious behaviour. You can also pipe bash history to syslog and use a SIEM to monitor what your admins are doing.