Yep, under normal circumstances where users log in and do all sorts of funny stuff I'd agree with him. I probably should've elaborated in my original post a bit.
In this case, the account is used exclusively by an automated system, always using the same OS account and always running straight shell commands every so often. All the commands the automated system was configured to run show up in the history, and as often as we would expect it to show up.
My problem with this is a) how did they establish that this account ran the command they're talking about repeatedly? b) if all the other commands show up, why not the one they claim was run?
I accept that it's not as clear cut as every single command an OS account ever runs getting logged in the history files, but in this case I just don't think the sysadmin is on the right track. He's essentially resorted to shifting all blame on to the automated system.
Were it up to me, I'd want the following done:
- Create a completely new, secure, dedicated OS account for use by the automated system only, as I seriously suspect that the OS account they're referring to might just be compromised.
- Configure some serious auditing on this new account. Log who logged in from where and at what time. More to the point, log whenever something other than the automated system logs in to this account.
- Have the sysadmins simply remove any privileges to commands they're not comfortable with users having access to.
- Have the automated system connect to a test system first and have the sysadmins monitor the server for a specified amount of time to make sure nothing happens that they're not happy with.
- If everyone's still happy at this point, carry out the same steps on the proper system.
Anyways, thanks again for all the help guys. And wish me luck!