From owner-freebsd-security@FreeBSD.ORG Wed Jan 2 12:00:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B57B916A4DA for ; Wed, 2 Jan 2008 12:00:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6A013C461 for ; Wed, 2 Jan 2008 12:00:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E61DC4921C; Wed, 2 Jan 2008 07:00:07 -0500 (EST) Date: Wed, 2 Jan 2008 12:00:07 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Anjang Aki In-Reply-To: Message-ID: <20080102115544.A30578@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Tracking user's activity X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 12:00:08 -0000 On Wed, 2 Jan 2008, Anjang Aki wrote: > I've been looking for a proper way to to track down user's activity inside > the shell as I'm helping my colleague to configure a web hosting and shell > hosting server. > > Someone have referred me to this article -- > http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' > commands to view user's activity once they logged in to the server > > I found that this 'watch' utility is very useful and are able to fulfill my > needs but I can only be able to watch the activity once I'm logging to the > server at the time the users are logging in. > > Is there is any way that logging user's activity can be done without a need > for me to login at the server at the same time? Perhaps the activity can be > logged into a file and I can read it later. > > Or is there is any other utility I can use just to monitor user's activity > as the server is misused by a user previously and I don't want it to happen > again in the future. On recent FreeBSD versions, you can use the security event auditing facility to log all programs run by the user. This isn't quite the same as all commands, as some commands are internal to the shell (i.e., "echo", "alias", "cd", etc), but would certainly give you a trail of all substantive commands (editor sessions, etc). Take a look at the FreeBSD handbook chapter on audit. Make sure to set the policy flag to capture the full command line, not just the command itself. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html I use the following /etc/security/audit_control to configure command line auditing on my shell boxes: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo,+ex policy:cnt,argv filesz:104857600 I also have audit_warn configured to compress the trails when they are cycled, per the example in the chapter. You can then use auditreduce and praudit to select and print records in various forms. If you're not interested in auditing commands by all users, you can use the audit_user config file to specify +ex auditing for just that one user. Robert N M Watson Computer Laboratory University of Cambridge > > Best regards, > > > -- > -- Anjang Aki -- > mailman.msc@gmail.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >