monitoring shell commands (recording username/cmd/time)
Jez Hancock
jez.hancock at munk.nu
Fri Jun 18 07:27:08 GMT 2004
On Fri, Jun 18, 2004 at 01:22:50PM +1000, Andrew Nelson wrote:
> I'm wondering if there is a version of bash or tcsh that logs all commands
> to a file with username and time? I've tried Sudo, but it's not all that
> practical for my purpose (I'm not that interested in restricting access,
> just
> seeing who has done what at which time...) Can anyone help?
There's a kernel module called 'lrexec' that logs all system calls
executed to syslogd. I configured it a while ago for my system and
wrote up a short comment on it here:
http://jez.hancock-family.com/archives/112_Installed_and_Configured_lrexec_module_For_Logging_System_Calls.html
The 'parent' site for the lrexec module is on sourceforge and goes under
the name 'Cerber':
http://cerber.sourceforge.net/
The lrexec module was originally a standalone piece of code by a guy
called Pawel Dawidek, a FreeBSD contributer:
http://jez.hancock-family.com/archives/43_Patching_FreeBSD_Kernel_To_Log_User_Activities.html
see also these interesting kernel level patches:
http://jez.hancock-family.com/archives/44_Kernel_Level_Patches.html
If you search the archives for freebsd-isp mailing list, you should find
more info on the patches there.
If a kernel module is too low level for you, it's also possible to patch
the shell source to log syscalls. There's some minor info on it here:
http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - Another FreeBSD Diary
http://ipfwstats.sf.net/ - ipfw peruser traffic logging
More information about the freebsd-isp
mailing list