Re: Tracking user's activity
- From: Robert Watson <rwatson@xxxxxxxxxxx>
- Date: Wed, 2 Jan 2008 12:00:07 +0000 (GMT)
On Wed, 2 Jan 2008, Anjang Aki wrote:
I've been looking for a proper way to to track down user's activity inside the shell as I'm helping my colleague to configure a web hosting and shell hosting server.
Someone have referred me to this article -- http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' commands to view user's activity once they logged in to the server
I found that this 'watch' utility is very useful and are able to fulfill my needs but I can only be able to watch the activity once I'm logging to the server at the time the users are logging in.
Is there is any way that logging user's activity can be done without a need for me to login at the server at the same time? Perhaps the activity can be logged into a file and I can read it later.
Or is there is any other utility I can use just to monitor user's activity as the server is misused by a user previously and I don't want it to happen again in the future.
On recent FreeBSD versions, you can use the security event auditing facility to log all programs run by the user. This isn't quite the same as all commands, as some commands are internal to the shell (i.e., "echo", "alias", "cd", etc), but would certainly give you a trail of all substantive commands (editor sessions, etc). Take a look at the FreeBSD handbook chapter on audit. Make sure to set the policy flag to capture the full command line, not just the command itself.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html
I use the following /etc/security/audit_control to configure command line auditing on my shell boxes:
dir:/var/audit
flags:lo,+ex
minfree:20
naflags:lo,+ex
policy:cnt,argv
filesz:104857600
I also have audit_warn configured to compress the trails when they are cycled, per the example in the chapter. You can then use auditreduce and praudit to select and print records in various forms. If you're not interested in auditing commands by all users, you can use the audit_user config file to specify +ex auditing for just that one user.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
Best regards,
--
-- Anjang Aki --
mailman.msc@xxxxxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Tracking user's activity
- From: Anjang Aki
- Tracking user's activity
- Prev by Date: Re: Tracking user's activity
- Next by Date: Re: ProPolice/SSP in 7.0
- Previous by thread: Re: Tracking user's activity
- Next by thread: Re: ProPolice/SSP in 7.0
- Index(es):
Relevant Pages
|
|
