Greetings, I've been looking for a proper way to to track down user's activity inside the shell as I'm helping my colleague to configure a web hosting and shell hosting server. Someone have referred me to this article -- http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' commands to view user's activity once they logged in to the server I found that this 'watch' utility is very useful and are able to fulfill my needs but I can only be able to watch the activity once I'm logging to the server at the time the users are logging in. Is there is any way that logging user's activity can be done without a need for me to login at the server at the same time? Perhaps the activity can be logged into a file and I can read it later. Or is there is any other utility I can use just to monitor user's activity as the server is misused by a user previously and I don't want it to happen again in the future. Best regards, -- -- Anjang Aki -- mailman.msc@gmail.com
Anjang Aki wrote:> Greetings, > > I've been looking for a proper way to to track down user's activity > inside the shell as I'm helping my colleague to configure a web > hosting and shell hosting server. > > Someone have referred me to this article -- > http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using > 'watch' commands to view user's activity once they logged in to the > server > > I found that this 'watch' utility is very useful and are able to > fulfill my needs but I can only be able to watch the activity once I'm > logging to the server at the time the users are logging in. > > Is there is any way that logging user's activity can be done without a > need for me to login at the server at the same time? Perhaps the > activity can be logged into a file and I can read it later. > > Or is there is any other utility I can use just to monitor user's > activity as the server is misused by a user previously and I don't > want it to happen again in the future. > > Best regards, > > >Hello! You can use "script filename" and start doing your stuff. The user can press CTRL-D when he's finished doing his stuff so the content can be flushed to the file. Happy new year, Frank
Old, but good. /usr/ports/security/snoopy/pkg-descr snoopy is merely a shared library that is used as a wrapper to the execve() function provided by libc as to log every call to syslog (authpriv). system administrators may find snoopy useful in tasks such as light/heavy system monitoring, tracking other administrator's actions as well as getting a good 'feel' of what's going on in the system (for example apache running cgi scripts). WWW: http://sourceforge.net/projects/snoopylogger/ Anjang Aki wrote:> Greetings, > > I've been looking for a proper way to to track down user's activity > inside the shell as I'm helping my colleague to configure a web > hosting and shell hosting server. > >
On Wed, 2 Jan 2008, Anjang Aki wrote:> I've been looking for a proper way to to track down user's activity inside > the shell as I'm helping my colleague to configure a web hosting and shell > hosting server. > > Someone have referred me to this article -- > http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' > commands to view user's activity once they logged in to the server > > I found that this 'watch' utility is very useful and are able to fulfill my > needs but I can only be able to watch the activity once I'm logging to the > server at the time the users are logging in. > > Is there is any way that logging user's activity can be done without a need > for me to login at the server at the same time? Perhaps the activity can be > logged into a file and I can read it later. > > Or is there is any other utility I can use just to monitor user's activity > as the server is misused by a user previously and I don't want it to happen > again in the future.On recent FreeBSD versions, you can use the security event auditing facility to log all programs run by the user. This isn't quite the same as all commands, as some commands are internal to the shell (i.e., "echo", "alias", "cd", etc), but would certainly give you a trail of all substantive commands (editor sessions, etc). Take a look at the FreeBSD handbook chapter on audit. Make sure to set the policy flag to capture the full command line, not just the command itself. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html I use the following /etc/security/audit_control to configure command line auditing on my shell boxes: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo,+ex policy:cnt,argv filesz:104857600 I also have audit_warn configured to compress the trails when they are cycled, per the example in the chapter. You can then use auditreduce and praudit to select and print records in various forms. If you're not interested in auditing commands by all users, you can use the audit_user config file to specify +ex auditing for just that one user. Robert N M Watson Computer Laboratory University of Cambridge> > Best regards, > > > -- > -- Anjang Aki -- > mailman.msc@gmail.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >