Date: Wed, 7 Jan 2004 01:18:46 +0100 (CET) From: "Yoan Talagrand" <Shes@virtualdesire.org> To: <jez.hancock@munk.nu> Cc: richard_bejtlich@yahoo.com Subject: Re: Logging user activities Message-ID: <10408.62.202.47.216.1073434726.squirrel@my.modwest.com> In-Reply-To: <20040106233725.GA78250@users.munk.nu> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> <20040106233725.GA78250@users.munk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
There is many tools/ways to log users activities, it depends on what you are trying to get and how you want it. A quick and easy way to do so is to basicly patch some shells... ie bash with a tool such bash-bofh (We do use it on major servers with approximativly 500 shell users, it's working fine for our use.) I've wrote a script once who, completed with such logging system, allowed you to restrict dynamicly users actions. It worked with blacklist commands, etc... You can do one easyly. Offcourse only one method isn't enough, you need to add many protections, begining with users/groups access. Yoan Talagrand -- virtualdesire dot org design hosting innovation > On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: >> What do you recommend for keeping track of user >> activities? For preserving bash histories I followed >> these recommendations: >> >> http://www.defcon1.org/secure-command.html > This was a very interesting article, thanks for that. I made a note of > it on my blog where you can also find a perl script I wrote a while ago > to report on the history usage of all users logging in on a certain date > - I run it daily via cron to report on shell usage for the current day. > > The article is here: > > http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html > >> My goal is to "watch the watchers," i.e. watch for >> abuse of power by SOC people with the ability to view >> traffic captured by sniffers. >> >> I plan to use sudo to limit and audit user activities >> too. I may also try some of the patches to bash >> listed at project.honeynet.org which send keystrokes >> to a remote server. Hardware keystroke logging is >> always a possibility. > As someone already mentioned, the snp driver is used by the watch(8) > utility to allow an admin to snoop on what users are doing on a tty. > This even allows you as an admin to actually interact with another > user's tty session (never fails to be amusing:P) and can be a very good > tool to help when demonstrating something for a user in their shell. > > There's a good article on setting up watch(8) here: > > http://www.freebsddiary.org/watch.php > > There's also a port around that uses snp to log tty sessions. > IIRC the app is in /usr/ports/security/termlog - when I had a > brief look at it it didn't seem too practical for logging all user's tty > sessions, but it might give you some ideas. > > Good luck. > > -- > Jez Hancock > - System Administrator / PHP Developer > > http://munk.nu/ > http://jez.hancock-family.com/ - personal weblog > http://ipfwstats.sf.net/ - ipfw peruser traffic logging > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10408.62.202.47.216.1073434726.squirrel>