How to log user activity?

I am about to allow external users to log onto my dev machine, accross
the internet. I would like to log their activities so that I can perform
an audit trail. Anyone knows how to do this/or a utility/script that
allows me to do this?

MTIA

exquisitus wrote:
> I am about to allow external users to log onto my dev machine,
accross
> the internet. I would like to log their activities so that I can
perform
> an audit trail. Anyone knows how to do this/or a utility/script that
> allows me to do this?

Depending on your operating system you might find "snoopy" useful,
it will log all processes executed, via the use of LD_PRELOAD, to
syslog.

Under Debian you can install it easily, and it's described briefly
here:

http://www.debian-administration.org/?article=88

Snoopy lives here:

http://sourceforge.net/projects/snoopylogger/

Steve
--
www.steve.org.uk

exquisitus <nebulla@alpha-centauri.com> wrote in news:cvnhij$idt$1
@hercules.btinternet.com:

> I am about to allow external users to log onto my dev machine, accross
> the internet. I would like to log their activities so that I can perform
> an audit trail. Anyone knows how to do this/or a utility/script that
> allows me to do this?

The .history files.

You can just turn them on with something like a 1000 line history, then
inform users you will consider any editing or deleting of the file to be
suspicious.

Or there are ways to remove their ability to edit the file, or even start
keeping the files in a directory or even a different computer that they
dont have access to.

I find it best (if you have the CPU for it) to leave them thinking that
they have the ability to delete it and hide their actions. Then set up the
machine to keep 2 copies of the history. One they own in their directory,
and one for you in another directory.

Gandalf Parker

Gandalf Parker wrote:

> exquisitus <nebulla@alpha-centauri.com> wrote in news:cvnhij$idt$1
> @hercules.btinternet.com:
>
>
>>I am about to allow external users to log onto my dev machine, accross
>>the internet. I would like to log their activities so that I can perform
>>an audit trail. Anyone knows how to do this/or a utility/script that
>>allows me to do this?
>
>
> The .history files.
>
> You can just turn them on with something like a 1000 line history, then
> inform users you will consider any editing or deleting of the file to be
> suspicious.
>
> Or there are ways to remove their ability to edit the file, or even start
> keeping the files in a directory or even a different computer that they
> dont have access to.
>
> I find it best (if you have the CPU for it) to leave them thinking that
> they have the ability to delete it and hide their actions. Then set up the
> machine to keep 2 copies of the history. One they own in their directory,
> and one for you in another directory.
>
> Gandalf Parker


This is very interesting. Sounds lke what I need. Do you have any links
where I can get some further info on how to do this? - or could you
kindly elaborate further?

Many thanks

Renegade <inv@lid.net> wrote in
news:wMNTd.118875$JF2.69457@tornado.tampabay.rr.co m:

> On Fri, 25 Feb 2005 20:32:24 +0000, exquisitus wrote:
>
>>>
>>> I find it best (if you have the CPU for it) to leave them thinking
>>> that they have the ability to delete it and hide their actions. Then
>>> set up the machine to keep 2 copies of the history. One they own in
>>> their directory, and one for you in another directory.
>>
>> This is very interesting. Sounds lke what I need. Do you have any
>> links where I can get some further info on how to do this? - or could
>> you kindly elaborate further?
>>
>> Many thanks
>
> Yes, please explain further, Gandalf. I like that idea also. :)

Hmmmm Im digging thru my stuff and all I can dig up is my half-ass cron
that copies history files to an archive directory under /var/log/history/
[login].history.[#] It checks to see if the new one is smaller than the
old one, and if it is then it increments the file name (danas.history.1
danas.history.2). It didnt catch every command but it caught enough to
know who was trying things they shouldnt.

I know of at least one of the sysadmins I worked with that improved it
writing a C code routine that used the read/write commands that are part
of the history logging itself (man history) but I cant find a copy of
that now.

The cron thing works allright if you have a few people you are keeping an
eye one, but didnt work for a large shell machine, hence the improved
version. The cron idea might work for some of you and I will keep looking
for the other thing. (or maybe someone here can build off the idea)

Gandalf Parker

On Fri, 25 Feb 2005, Renegade wrote:

> On Fri, 25 Feb 2005 20:32:24 +0000, exquisitus wrote:
>
>>>
>>> I find it best (if you have the CPU for it) to leave them thinking
>>> that they have the ability to delete it and hide their
>>> actions. Then set up the machine to keep 2 copies of the
>>> history. One they own in their directory, and one for you in
>>> another directory.
>>>
>>> Gandalf Parker
>>
>>
>> This is very interesting. Sounds lke what I need. Do you have any
>> links where I can get some further info on how to do this? - or
>> could you kindly elaborate further?
>>
>> Many thanks
>
> Yes, please explain further, Gandalf. I like that idea also. :)

Though there's various ways of not having shell commands appear in
..history files, e.g. access to emacs and I don't think the subject of
a shell-command-on-region appears anywhere

Robert
--
La grenouille songe..dans son château d'eau

You can use the GNU Accounting Utils ( http://www.gnu.org/software/acct/ )
to do this rather easily.


Stu

exquisitus wrote:

> I am about to allow external users to log onto my dev machine, accross
> the internet. I would like to log their activities so that I can perform
> an audit trail. Anyone knows how to do this/or a utility/script that
> allows me to do this?
>
> MTIA

Robert Marshall <spam@chezmarshall.freeserve.co.uk> wrote in
news:m1sm3jpxkw.fsf@chezmarshall.freeserve.co.uk:


> Though there's various ways of not having shell commands appear in
> .history files, e.g. access to emacs and I don't think the subject of
> a shell-command-on-region appears anywhere

People who can use emacs can do a lot of things. :)
Everything has its pros and cons. For each known defense there is someone
who knows how to get around it. But each layer is good for something
(having an alarm on my diamonds doesnt mean its worthless to lock the
doors also).

Creativity is the best defense. Things which are not yet common practice.
Cron watchdogs can do much.

Copy the ps command to a new directory. Have a cron job sample that ps
command regularly. Certain commands, certain users, or certain groups can
be emailed to you.

Do the same with netstat -an. Have it run to a "normal.ns" file somewhere
and then run it again on a regular basis to a "now.ns" file then do a
diff normal.ns now.ns >something.ns then if something.ns is more than 0
bytes (there is a difference) have that emailed to you.

Write scripts to replace some commands such as ifconfig or gcc. The
script can just record the calling action to a log and then pass the call
to the real program, or it might record all information about connections
and activity then email it to you on some machine other than the one in
question. Better yet, you can even have the machine text-message your
pager everytime gcc gets used.

Edit the default shell profiles in the /etc directory. Each of them have
a check for the user being root or other high-UID logins. Usually it does
nothing more than set the prompt unique for root or maybe a safter umask.
Add a line for the machines info to be mailed to you or on rarely-visited
sites have yourself paged whenever anyone becomes root. (by the way,
putting that in on the check for UID=0 or UID<14 will also catch activity
by rewt when someone uses overflows to create a new root-access account)

Hmmmm thats all that comes to mind quickly. Anyway, any known defense has
a known offense. Get creative about watching for strange activities.

Gandalf Parker
-- Having a locked fence doesnt mean its not worthwhile to have a
watchdog in the yard.

On Fri, 25 Feb 2005 18:02:03 GMT,
Gandalf Parker (gandalf@most.of.my.favorite.sites) wrote:
> exquisitus <nebulla@alpha-centauri.com> wrote in news:cvnhij$idt$1
> @hercules.btinternet.com:
>
>> I am about to allow external users to log onto my dev machine, accross
>> the internet. I would like to log their activities so that I can perform
>> an audit trail. Anyone knows how to do this/or a utility/script that
>> allows me to do this?
>
> The .history files.
>
> You can just turn them on with something like a 1000 line history, then
> inform users you will consider any editing or deleting of the file to be
> suspicious.
>
> Or there are ways to remove their ability to edit the file, or even start
> keeping the files in a directory or even a different computer that they
> dont have access to.
>
> I find it best (if you have the CPU for it) to leave them thinking that
> they have the ability to delete it and hide their actions. Then set up the
> machine to keep 2 copies of the history. One they own in their directory,
> and one for you in another directory.

Or, do things the right way -- enable process accounting -- Linux
has supported it for a _long_ time (it has been integrated in the
kernel since 1.3.7x, and patches exist for older kernels).

See <http://www.tldp.org/HOWTO/Process-Accounting/> for details.

Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer

"Bev A. Kupf" <bevakupf@myhome.net> wrote in
news:slrnd2197g.69k.bevakupf@myhome.net:

> Or, do things the right way -- enable process accounting

Isnt that usually on?
Most people should do a "lastcomm" command to see if thats already running

Gandalf Parker