* Remote login Typed commands
@ 2002-06-17 14:00 Abiy,Mike [Edm]
0 siblings, 0 replies; 6+ messages in thread
From: Abiy,Mike [Edm] @ 2002-06-17 14:00 UTC (permalink / raw)
To: linux-admin
Hi,
can Any one tell me a way to tell what commands or series of commands,
scripts to use inorder to identify who logged in remotely and what
keystrokes that each remote user had used.
thanks
mike
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Remote login Typed commands
@ 2002-06-17 15:09 Abiy,Mike [Edm]
2002-06-17 15:16 ` Tyler
0 siblings, 1 reply; 6+ messages in thread
From: Abiy,Mike [Edm] @ 2002-06-17 15:09 UTC (permalink / raw)
To: 'david.jay.jackson@wcox.com',
'linux-admin@vger.kernel.org'
The part that I am more concerned about is the keystrokes used (commands
run) during the the rmote login session. i can find out who logged in from
the wtmp file in /var/log , but i would like to be able to find what
commands they used during a particular session.
thanks
mike
-----Original Message-----
From: David Jackson [mailto:david.jay.jackson@wcox.com]
Sent: June 17, 2002 8:51 AM
To: Abiy,Mike [Edm]
Subject: Re: Remote login Typed commands
Mike
>Hi,
>can Any one tell me a way to tell what commands or series of commands,
>scripts to use inorder to identify who logged in remotely and what
>keystrokes that each remote user had used.
>thanks
>mike
Check syslog or messages, in ether /var/log or /var/adm log every user
who logged in and from where.
david
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Remote login Typed commands
2002-06-17 15:09 Remote login Typed commands Abiy,Mike [Edm]
@ 2002-06-17 15:16 ` Tyler
2002-06-17 15:30 ` Tim Walberg
2002-06-17 20:38 ` James
0 siblings, 2 replies; 6+ messages in thread
From: Tyler @ 2002-06-17 15:16 UTC (permalink / raw)
To: linux-admin
On Mon, Jun 17, 2002 at 09:09:39AM -0600, Abiy,Mike [Edm] wrote:
>
> The part that I am more concerned about is the keystrokes used (commands
> run) during the the rmote login session. i can find out who logged in from
> the wtmp file in /var/log , but i would like to be able to find what
> commands they used during a particular session.
> thanks
> mike
Not really, unless you set up a keystroke logger ahead of time. You
could always read the user's ~/.bash_history or equivalent, but
if the user is doing something malicious, he or she will probably remove
or alter that file.
--
tyler at zerodivide dot cx
AIM: zerodivide1101
Mobile SMS: tyler-mobile at zerodivide dot cx
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Remote login Typed commands
2002-06-17 15:16 ` Tyler
@ 2002-06-17 15:30 ` Tim Walberg
2002-06-17 20:38 ` James
1 sibling, 0 replies; 6+ messages in thread
From: Tim Walberg @ 2002-06-17 15:30 UTC (permalink / raw)
To: Tyler; +Cc: linux-admin
[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]
one method I've used before is to replace the user's shell in
/etc/passwd with a script that straces the user's real shell,
and logs all exec system calls (i.e. 'strace -ftv -e trace=process -o <somefile> <realshell>')
On 06/17/2002 11:16 -0400, Tyler wrote:
>> On Mon, Jun 17, 2002 at 09:09:39AM -0600, Abiy,Mike [Edm] wrote:
>> >
>> > The part that I am more concerned about is the keystrokes used (commands
>> > run) during the the rmote login session. i can find out who logged in from
>> > the wtmp file in /var/log , but i would like to be able to find what
>> > commands they used during a particular session.
>> > thanks
>> > mike
>>
>> Not really, unless you set up a keystroke logger ahead of time. You
>> could always read the user's ~/.bash_history or equivalent, but
>> if the user is doing something malicious, he or she will probably remove
>> or alter that file.
>>
>> --
>> tyler at zerodivide dot cx
>> AIM: zerodivide1101
>> Mobile SMS: tyler-mobile at zerodivide dot cx
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
End of included message
--
twalberg@mindspring.com
[-- Attachment #2: Type: application/pgp-signature, Size: 174 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Remote login Typed commands
2002-06-17 15:16 ` Tyler
2002-06-17 15:30 ` Tim Walberg
@ 2002-06-17 20:38 ` James
2002-06-17 23:05 ` Glynn Clements
1 sibling, 1 reply; 6+ messages in thread
From: James @ 2002-06-17 20:38 UTC (permalink / raw)
To: linux-admin
On Mon, Jun 17, 2002 at 11:16:17AM -0400, Tyler wrote:
| On Mon, Jun 17, 2002 at 09:09:39AM -0600, Abiy,Mike [Edm] wrote:
| >
| > The part that I am more concerned about is the keystrokes used (commands
| > run) during the the rmote login session. i can find out who logged in from
| > the wtmp file in /var/log , but i would like to be able to find what
| > commands they used during a particular session.
| > thanks
| > mike
|
| Not really, unless you set up a keystroke logger ahead of time. You
| could always read the user's ~/.bash_history or equivalent, but
| if the user is doing something malicious, he or she will probably remove
| or alter that file.
Beware it might be an invasion of their privacy, and you might capture
"sensitive" things like passwords for other systems and their credit
card details.
Also they might just log in, type 'sh' and all you'll see is they
started a new shell and that's it, unless you're somehow intercepting
data coming across the network (which'd fail if they use SSH).
--
I will not waste chalk
PGP Fingerprint [6AD6 865A BF6E 76BB 1FC2 E4C4 DEEA 7D08 D511 E149]
PGP Public key [www.piku.org.uk/public-key.asc] - Home [www.piku.org.uk]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Remote login Typed commands
2002-06-17 20:38 ` James
@ 2002-06-17 23:05 ` Glynn Clements
0 siblings, 0 replies; 6+ messages in thread
From: Glynn Clements @ 2002-06-17 23:05 UTC (permalink / raw)
To: linux-admin
James wrote:
> | > The part that I am more concerned about is the keystrokes used (commands
> | > run) during the the rmote login session. i can find out who logged in from
> | > the wtmp file in /var/log , but i would like to be able to find what
> | > commands they used during a particular session.
> | > thanks
> | > mike
> |
> | Not really, unless you set up a keystroke logger ahead of time. You
> | could always read the user's ~/.bash_history or equivalent, but
> | if the user is doing something malicious, he or she will probably remove
> | or alter that file.
>
> Beware it might be an invasion of their privacy, and you might capture
> "sensitive" things like passwords for other systems and their credit
> card details.
>
> Also they might just log in, type 'sh' and all you'll see is they
> started a new shell and that's it, unless you're somehow intercepting
> data coming across the network (which'd fail if they use SSH).
The traditional mechanism for keystroke logging sits between the
network connection and the (pseudo) terminal, so it will capture
everything that's coming over the network.
Ultimately, however, user input is only part of the picture. It's
always possible to do things in such a way that the user input doesn't
look suspicious.
--
Glynn Clements <glynn.clements@virgin.net>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-06-17 23:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-17 15:09 Remote login Typed commands Abiy,Mike [Edm]
2002-06-17 15:16 ` Tyler
2002-06-17 15:30 ` Tim Walberg
2002-06-17 20:38 ` James
2002-06-17 23:05 ` Glynn Clements
-- strict thread matches above, loose matches on Subject: below --
2002-06-17 14:00 Abiy,Mike [Edm]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).