From owner-freebsd-questions Fri Feb 27 06:21:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA25852 for freebsd-questions-outgoing; Fri, 27 Feb 1998 06:21:43 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from r.scl.ameslab.gov (r.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA25828 for ; Fri, 27 Feb 1998 06:21:17 -0800 (PST) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.scl.ameslab.gov (demios.ether.scl.ameslab.gov [147.155.137.54]) by r.scl.ameslab.gov (8.8.5/8.8.3) with SMTP id IAA26068; Fri, 27 Feb 1998 08:20:56 -0600 (CST) Date: Fri, 27 Feb 1998 08:20:56 -0600 (CST) From: Guy Helmer To: Dinesh Pal cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: Logging User's activity In-Reply-To: <34F6DAEC.8DEED7F8@opentech.stpn.soft.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 27 Feb 1998, Dinesh Pal wrote: > One of my FreeBSd user is very creative .He always try to explore something new > on my servers .I want to log his all the commands entered by him without his > knowledge,So that i can check that later.Please advice. In contrast to the other schemes mentioned (turn on csh history, wrap his/her logins in "script", etc), something the user can't get around would be to turn on process accounting. Make sure the directory /var/account exists and set accounting_enable="YES" in /etc/rc.conf. After the system is restarted, each process will be logged in /var/account/acct at termination. You can use the command lastcomm(1) to review entries in this file, and you can limit the commands shown to those of the particular user by using "lastcomm username". The caveats to this method are that the parameters to the command are not kept and the command may not be what you think it is since process accounting merely logs the name, not the path, of the program (e.g., symlinks or personal programs that have the same name as a system executable may be misleading). IMHO, this is a more politically acceptable solution than the others since 1) you are effectively logging everyone's activities (not a bad idea, if you ever need to diagnose issues having to do with other problem users), and 2) you are not doing anything that directly targets this particular user. When I administered undergraduate timesharing systems, process accounting provided a simple way to uncover which users were executing hacker tools -- fortunately they didn't think to rename their executable from "hacker-toolname" to something innocuous like "ls", which would have foiled my forensic analysis :-) However, if your system is very busy and you don't have much disk space for /var, process accounting may fill your available disk space. Use with care. Guy Helmer Guy Helmer, Computer Science Graduate Student - ghelmer@scl.ameslab.gov Iowa State University http://www.cs.iastate.edu/~ghelmer Research Assistant, Scalable Computing Laboratory, Ames Laboratory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message