Date: Tue, 6 Jan 2004 23:37:25 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: Richard Bejtlich <richard_bejtlich@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: Logging user activities Message-ID: <20040106233725.GA78250@users.munk.nu> In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: > What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html This was a very interesting article, thanks for that. I made a note of it on my blog where you can also find a perl script I wrote a while ago to report on the history usage of all users logging in on a certain date - I run it daily via cron to report on shell usage for the current day. The article is here: http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html > My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities > too. I may also try some of the patches to bash > listed at project.honeynet.org which send keystrokes > to a remote server. Hardware keystroke logging is > always a possibility. As someone already mentioned, the snp driver is used by the watch(8) utility to allow an admin to snoop on what users are doing on a tty. This even allows you as an admin to actually interact with another user's tty session (never fails to be amusing:P) and can be a very good tool to help when demonstrating something for a user in their shell. There's a good article on setting up watch(8) here: http://www.freebsddiary.org/watch.php There's also a port around that uses snp to log tty sessions. IIRC the app is in /usr/ports/security/termlog - when I had a brief look at it it didn't seem too practical for logging all user's tty sessions, but it might give you some ideas. Good luck. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040106233725.GA78250>