Date: Fri, 18 Jun 2004 08:25:56 +0100 From: Jez Hancock <jez.hancock@munk.nu> To: Andrew Nelson <andrew__nelson@hotmail.com> Cc: freebsd-isp@freebsd.org Subject: Re: monitoring shell commands (recording username/cmd/time) Message-ID: <20040618072556.GB56759@munk.nu> In-Reply-To: <BAY18-F66hIqU7MOKZv0001212c@hotmail.com> References: <BAY18-F66hIqU7MOKZv0001212c@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 18, 2004 at 01:22:50PM +1000, Andrew Nelson wrote: > I'm wondering if there is a version of bash or tcsh that logs all commands > to a file with username and time? I've tried Sudo, but it's not all that > practical for my purpose (I'm not that interested in restricting access, > just > seeing who has done what at which time...) Can anyone help? There's a kernel module called 'lrexec' that logs all system calls executed to syslogd. I configured it a while ago for my system and wrote up a short comment on it here: http://jez.hancock-family.com/archives/112_Installed_and_Configured_lrexec_module_For_Logging_System_Calls.html The 'parent' site for the lrexec module is on sourceforge and goes under the name 'Cerber': http://cerber.sourceforge.net/ The lrexec module was originally a standalone piece of code by a guy called Pawel Dawidek, a FreeBSD contributer: http://jez.hancock-family.com/archives/43_Patching_FreeBSD_Kernel_To_Log_User_Activities.html see also these interesting kernel level patches: http://jez.hancock-family.com/archives/44_Kernel_Level_Patches.html If you search the archives for freebsd-isp mailing list, you should find more info on the patches there. If a kernel module is too low level for you, it's also possible to patch the shell source to log syscalls. There's some minor info on it here: http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040618072556.GB56759>