Monitoring User (developer) interaction


I’m looking for a "tamper proof" way, if there is such a thing, to monitor what a developer/engineer does on a given system.

To expand a bit more about this, we have several systems that run a Ruby on Rails technology stack with Ubuntu Docker containers on K8S, and for our PCI compliance, we require a monitoring solution that allows us to basically track what a developer/engineer does on a system from the point where an SSH session is established until the session is terminated.

Ideally, we’d like to see:

  • Loggin in
  • Any commands used in the SSH session
  • Any commands/code executed with irb or rails console
  • These logs send to Cloudwatch
  • Inability to disable this monitoring

I was originally thinking about a simple shell overwrite for the above commands to simply track every command going on, and rely on the shell history to see what has been happening, but that obviously doesn’t pass the "tamper proof" requirement, as anyone with SSH access would be able to bypass that.

I’m thinking more about some OS level monitoring to either watch the processes directly we know that will be used for working with the PCI sensitive information, or just monitor all tty trafic/interaction.

What I’m looking for is best-practises, reading material or recommendations on what’s the accepted/recommended way for setting up a system like this.