I am cross-posting this question from Serverfault, because I am in doubt where it fits best.
Say I have a server set-up for processing sensitive data. The few authorised users of the system are instructed not to copy any of the sensitive data out of the platform, but could in principle do so using scp etc. This is similar to my car being able to drive about 200km/h although I am not allowed to do so anywhere around where I live.
Now can I somehow detect and log (preferably via auditd, but could be other tools) if a user somehow copies data out of the system?
I suppose I could explicitly monitor the use of commands such as scp, rsync, ftp, sftp etc., but then again there may be other tools I am not monitoring, users’ own programs, malicious users’ renamed copies of common copying tools etc.
I imagine some things might be more reliably detected at the network level, but still: would a sufficiently determined malicious user not be able to for example sneak data out through an encrypted network connection where I cannot monitor what is being transferred?