Tracking user's activity

Robert Watson rwatson at FreeBSD.org
Wed Jan 2 04:00:08 PST 2008 

On Wed, 2 Jan 2008, Anjang Aki wrote:

> I've been looking for a proper way to to track down user's activity inside 
> the shell as I'm helping my colleague to configure a web hosting and shell 
> hosting server.
>
> Someone have referred me to this article -- 
> http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' 
> commands to view user's activity once they logged in to the server
>
> I found that this 'watch' utility is very useful and are able to fulfill my 
> needs but I can only be able to watch the activity once I'm logging to the 
> server at the time the users are logging in.
>
> Is there is any way that logging user's activity can be done without a need 
> for me to login at the server at the same time? Perhaps the activity can be 
> logged into a file and I can read it later.
>
> Or is there is any other utility I can use just to monitor user's activity 
> as the server is misused by a user previously and I don't want it to happen 
> again in the future.

On recent FreeBSD versions, you can use the security event auditing facility 
to log all programs run by the user.  This isn't quite the same as all 
commands, as some commands are internal to the shell (i.e., "echo", "alias", 
"cd", etc), but would certainly give you a trail of all substantive commands 
(editor sessions, etc).  Take a look at the FreeBSD handbook chapter on audit. 
Make sure to set the policy flag to capture the full command line, not just 
the command itself.

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html

I use the following /etc/security/audit_control to configure command line 
auditing on my shell boxes:

   dir:/var/audit
   flags:lo,+ex
   minfree:20
   naflags:lo,+ex
   policy:cnt,argv
   filesz:104857600

I also have audit_warn configured to compress the trails when they are cycled, 
per the example in the chapter.  You can then use auditreduce and praudit to 
select and print records in various forms.  If you're not interested in 
auditing commands by all users, you can use the audit_user config file to 
specify +ex auditing for just that one user.

Robert N M Watson
Computer Laboratory
University of Cambridge



>
> Best regards,
>
>
> -- 
> -- Anjang Aki --
> mailman.msc at gmail.com
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list