Logging user activities
Jez Hancock
jez.hancock at munk.nu
Tue Jan 6 15:37:36 PST 2004
On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote:
> What do you recommend for keeping track of user
> activities? For preserving bash histories I followed
> these recommendations:
>
> http://www.defcon1.org/secure-command.html
This was a very interesting article, thanks for that. I made a note of
it on my blog where you can also find a perl script I wrote a while ago
to report on the history usage of all users logging in on a certain
date - I run it daily via cron to report on shell usage for the current day.
The article is here:
http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html
> My goal is to "watch the watchers," i.e. watch for
> abuse of power by SOC people with the ability to view
> traffic captured by sniffers.
>
> I plan to use sudo to limit and audit user activities
> too. I may also try some of the patches to bash
> listed at project.honeynet.org which send keystrokes
> to a remote server. Hardware keystroke logging is
> always a possibility.
As someone already mentioned, the snp driver is used by the watch(8)
utility to allow an admin to snoop on what users are doing on a tty.
This even allows you as an admin to actually interact with another
user's tty session (never fails to be amusing:P) and can be a very good
tool to help when demonstrating something for a user in their shell.
There's a good article on setting up watch(8) here:
http://www.freebsddiary.org/watch.php
There's also a port around that uses snp to log tty sessions.
IIRC the app is in /usr/ports/security/termlog - when I had a
brief look at it it didn't seem too practical for logging all user's tty
sessions, but it might give you some ideas.
Good luck.
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - personal weblog
http://ipfwstats.sf.net/ - ipfw peruser traffic logging
More information about the freebsd-security
mailing list