* Linux user logging
@ 2004-07-15 21:14 Michael Gale
2004-07-15 21:31 ` [OT] " Antony Stone
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Michael Gale @ 2004-07-15 21:14 UTC (permalink / raw)
To: netfilter
Hello,
I know this is not a netfilter question but I was wondering if any one knows of a way to log all user activity. So if a
user logs in via a SSH connection I would like to log all user activity. What files the view or alter and any other
commands ?
--
Michael Gale
Network Administrator
Utilitran Corporation
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OT] Linux user logging
2004-07-15 21:14 Linux user logging Michael Gale
@ 2004-07-15 21:31 ` Antony Stone
2004-07-15 23:14 ` Predrag Petrovic
2004-07-16 14:49 ` [OT] " Aleksandar Milivojevic
2 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-07-15 21:31 UTC (permalink / raw)
To: netfilter
On Thursday 15 July 2004 10:14 pm, Michael Gale wrote:
> Hello,
>
> I know this is not a netfilter question but I was wondering if any one
> knows of a way to log all user activity. So if a user logs in via a SSH
> connection I would like to log all user activity. What files the view or
> alter and any other commands ?
Try a rootkit :)
If an attacker can implant a keystroke logger in your system, you should be
able to too :)
Other than that - it's the beauty of Open Source Software - you can change the
SSH daemon to do whatever you want it to, on your system....
Regards,
Antony.
--
"It would appear we have reached the limits of what it is possible to achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."
- John von Neumann (1949)
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Linux user logging
2004-07-15 21:14 Linux user logging Michael Gale
2004-07-15 21:31 ` [OT] " Antony Stone
@ 2004-07-15 23:14 ` Predrag Petrovic
2004-07-16 14:49 ` [OT] " Aleksandar Milivojevic
2 siblings, 0 replies; 5+ messages in thread
From: Predrag Petrovic @ 2004-07-15 23:14 UTC (permalink / raw)
To: Michael Gale; +Cc: netfilter
Well you have the .bash_history file :-/
LogWatch and lots of programs for those stuff :)
Michael Gale wrote:
>Hello,
>
> I know this is not a netfilter question but I was wondering if any one knows of a way to log all user activity. So if a
>user logs in via a SSH connection I would like to log all user activity. What files the view or alter and any other
>commands ?
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OT] Linux user logging
2004-07-15 21:14 Linux user logging Michael Gale
2004-07-15 21:31 ` [OT] " Antony Stone
2004-07-15 23:14 ` Predrag Petrovic
@ 2004-07-16 14:49 ` Aleksandar Milivojevic
2004-07-17 12:11 ` Erik Wikström
2 siblings, 1 reply; 5+ messages in thread
From: Aleksandar Milivojevic @ 2004-07-16 14:49 UTC (permalink / raw)
To: Michael Gale; +Cc: netfilter
Michael Gale wrote:
> Hello,
>
> I know this is not a netfilter question but I was wondering if any one knows of a way to log all user activity. So if a
> user logs in via a SSH connection I would like to log all user activity. What files the view or alter and any other
> commands ?
Yup, completely OT for this mailing list...
What you are looking for is called auditing. There are some projects
for implementing it on Linux, but AFAIK nothing final and stable. If I
understood it correctly (and I might be completely wrong here), the
major problem is that core group of Linux kernel developers is reluctant
in putting appropriate auditing hooks into kernel (not even as an
compile time option for those that need it), for whatever reason.
Note that good auditing is not trivial to configure, and depending on
what you want to log, auditing can produce *huge* log files.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OT] Linux user logging
2004-07-16 14:49 ` [OT] " Aleksandar Milivojevic
@ 2004-07-17 12:11 ` Erik Wikström
0 siblings, 0 replies; 5+ messages in thread
From: Erik Wikström @ 2004-07-17 12:11 UTC (permalink / raw)
To: netfilter
On Fri, Jul 16, 2004 at 09:49:13AM -0500, Aleksandar Milivojevic wrote:
> Michael Gale wrote:
> >Hello,
> >
> > I know this is not a netfilter question but I was wondering if any
> > one knows of a way to log all user activity. So if a
> >user logs in via a SSH connection I would like to log all user activity.
> >What files the view or alter and any other
> >commands ?
>
> Yup, completely OT for this mailing list...
>
> What you are looking for is called auditing. There are some projects
> for implementing it on Linux, but AFAIK nothing final and stable. If I
> understood it correctly (and I might be completely wrong here), the
> major problem is that core group of Linux kernel developers is reluctant
> in putting appropriate auditing hooks into kernel (not even as an
> compile time option for those that need it), for whatever reason.
>
> Note that good auditing is not trivial to configure, and depending on
> what you want to log, auditing can produce *huge* log files.
You might be interested in looking at BSD Process Accounting, which can
be found under General Setup in the kernel configuration. It should give
you information about which processed a user run and such things.
I also have a option called Enable Auditing (also under General Setup)
in my 2.6.7 kernel. Both of these probably need some userland tools but
I'm sure a search can give you what you need.
--
Erik Wikström
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-07-17 12:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-15 21:14 Linux user logging Michael Gale
2004-07-15 21:31 ` [OT] " Antony Stone
2004-07-15 23:14 ` Predrag Petrovic
2004-07-16 14:49 ` [OT] " Aleksandar Milivojevic
2004-07-17 12:11 ` Erik Wikström
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.