From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim Walberg Subject: Re: Remote login Typed commands Date: Mon, 17 Jun 2002 10:30:47 -0500 Sender: linux-admin-owner@vger.kernel.org Message-ID: <20020617103047.A6901@mindspring.com> References: <3FFCFC6BDD6BD5118FC700805F9F5E700856E0@SR-EDM-EXCH5> <20020617111617.C7936@zerodivide.cx> Reply-To: Tim Walberg Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Return-path: Content-Disposition: inline In-Reply-To: <20020617111617.C7936@zerodivide.cx> from Tyler on 06/17/2002 10:16 List-Id: To: Tyler Cc: linux-admin@vger.kernel.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable one method I've used before is to replace the user's shell in /etc/passwd with a script that straces the user's real shell, and logs all exec system calls (i.e. 'strace -ftv -e trace=3Dprocess -o ') On 06/17/2002 11:16 -0400, Tyler wrote: >> On Mon, Jun 17, 2002 at 09:09:39AM -0600, Abiy,Mike [Edm] wrote: >> >=20 >> > The part that I am more concerned about is the keystrokes used (comman= ds >> > run) during the the rmote login session. i can find out who logged in = from >> > the wtmp file in /var/log , but i would like to be able to find what >> > commands they used during a particular session. >> > thanks >> > mike =20 >>=09 >> Not really, unless you set up a keystroke logger ahead of time. You >> could always read the user's ~/.bash_history or equivalent, but >> if the user is doing something malicious, he or she will probably remove >> or alter that file. >>=09 >> --=20 >> tyler at zerodivide dot cx >> AIM: zerodivide1101 >> Mobile SMS: tyler-mobile at zerodivide dot cx >> - >> To unsubscribe from this list: send the line "unsubscribe linux-admin" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html End of included message --=20 twalberg@mindspring.com --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPQ4ApMPlnI9tqyVmEQKaEwCeMLkOAGGFWrzCcKY65C3mY/n4+bwAn1CL 3w5QAad8lshIo4Z7ZHMUalIk =Sza5 -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--