Tracking user's activity

Greetings,

I've been looking for a proper way to to track down user's
activity
inside the shell as I'm helping my colleague to configure a
web
hosting and shell hosting server.

Someone have referred me to this article --
h
ttp://bsdtips.utcorp.net/mediawiki/index.php/Snoop which
is using
'watch' commands to view user's activity once they logged in
to the
server

I found that this 'watch' utility is very useful and are
able to
fulfill my needs but I can only be able to watch the
activity once I'm
logging to the server at the time the users are logging in.

Is there is any way that logging user's activity can be done
without a
need for me to login at the server at the same time? Perhaps
the
activity can be logged into a file and I can read it later.

Or is there is any other utility I can use just to monitor
user's
activity as the server is misused by a user previously and I
don't
want it to happen again in the future.

Best regards,


-- 
-- Anjang Aki --
mailman.mscgmail.com
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Anjang Aki wrote:
> Greetings,
>
> I've been looking for a proper way to to track down
user's activity
> inside the shell as I'm helping my colleague to
configure a web
> hosting and shell hosting server.
>
> Someone have referred me to this article --
> h
ttp://bsdtips.utcorp.net/mediawiki/index.php/Snoop which
is using
> 'watch' commands to view user's activity once they
logged in to the
> server
>
> I found that this 'watch' utility is very useful and
are able to
> fulfill my needs but I can only be able to watch the
activity once I'm
> logging to the server at the time the users are logging
in.
>
> Is there is any way that logging user's activity can be
done without a
> need for me to login at the server at the same time?
Perhaps the
> activity can be logged into a file and I can read it
later.
>
> Or is there is any other utility I can use just to
monitor user's
> activity as the server is misused by a user previously
and I don't
> want it to happen again in the future.
>
> Best regards,
>
>
>   

Hello!
You can use "script filename" and start doing your
stuff. The user can 
press CTRL-D when he's finished doing his stuff so the
content can be 
flushed to the file.

Happy new year,
Frank
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

You could also just run the watch command in a screen
session or even
daemonize it, if possible.


-----Original Message-----
From: owner-freebsd-securityfreebsd.org
[mailto:owner-freebsd-securityfreebsd.org] On Behalf Of
Frank
Sent: Tuesday, January 01, 2008 3:00 PM
To: Anjang Aki
Cc: freebsd-securityfreebsd.org
Subject: Re: Tracking user's activity

Anjang Aki wrote:
> Greetings,
>
> I've been looking for a proper way to to track down
user's activity
> inside the shell as I'm helping my colleague to
configure a web
> hosting and shell hosting server.
>
> Someone have referred me to this article --
> h
ttp://bsdtips.utcorp.net/mediawiki/index.php/Snoop which
is using
> 'watch' commands to view user's activity once they
logged in to the
> server
>
> I found that this 'watch' utility is very useful and
are able to
> fulfill my needs but I can only be able to watch the
activity once I'm
> logging to the server at the time the users are logging
in.
>
> Is there is any way that logging user's activity can be
done without a
> need for me to login at the server at the same time?
Perhaps the
> activity can be logged into a file and I can read it
later.
>
> Or is there is any other utility I can use just to
monitor user's
> activity as the server is misused by a user previously
and I don't
> want it to happen again in the future.
>
> Best regards,
>
>
>   

Hello!
You can use "script filename" and start doing your
stuff. The user can 
press CTRL-D when he's finished doing his stuff so the
content can be 
flushed to the file.

Happy new year,
Frank
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

__________ NOD32 2759 (20080101) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Old, but good.

/usr/ports/security/snoopy/pkg-descr

snoopy is merely a shared library that is used as a wrapper
to the execve() function provided by libc as to log every
call
to syslog (authpriv).  system administrators may find
snoopy
useful in tasks such as light/heavy system monitoring,
tracking other
administrator's actions as well as getting a good 'feel' of
what's going on in the system (for example apache running
cgi
scripts).

WWW: http://
sourceforge.net/projects/snoopylogger/



Anjang Aki wrote:
> Greetings,
>
> I've been looking for a proper way to to track down
user's activity
> inside the shell as I'm helping my colleague to
configure a web
> hosting and shell hosting server.
>
>   

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Greetings again,

Seems like this utility suits my need. I have installed it
using ports
but couldn't find any clue where the log file for snoopy is
saved or
whether snoopy is running on my system.

Based on Kevin K reply:
"You could also just run the watch command in a screen
session or even
daemonize it, if possible."

..perhaps this watch process can be automated using script
but my
scripting skills is poor.

Any advice is greatly appreciated in advanced.

Regards,

On 1/2/08, Jason Chambers <jchambersucla.edu> wrote:
> Old, but good.
>
> /usr/ports/security/snoopy/pkg-descr
>
> snoopy is merely a shared library that is used as a
wrapper
> to the execve() function provided by libc as to log
every call
> to syslog (authpriv).  system administrators may find
snoopy
> useful in tasks such as light/heavy system monitoring,
tracking other
> administrator's actions as well as getting a good
'feel' of
> what's going on in the system (for example apache
running cgi
> scripts).
>
> WWW: http://
sourceforge.net/projects/snoopylogger/
>
>
>
> Anjang Aki wrote:
> > Greetings,
> >
> > I've been looking for a proper way to to track
down user's activity
> > inside the shell as I'm helping my colleague to
configure a web
> > hosting and shell hosting server.
> >
> >
>
>


-- 
-- Anjang Aki --
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Wed, 2 Jan 2008, Anjang Aki wrote:

> I've been looking for a proper way to to track down
user's activity inside 
> the shell as I'm helping my colleague to configure a
web hosting and shell 
> hosting server.
>
> Someone have referred me to this article -- 
> h
ttp://bsdtips.utcorp.net/mediawiki/index.php/Snoop which
is using 'watch' 
> commands to view user's activity once they logged in to
the server
>
> I found that this 'watch' utility is very useful and
are able to fulfill my 
> needs but I can only be able to watch the activity once
I'm logging to the 
> server at the time the users are logging in.
>
> Is there is any way that logging user's activity can be
done without a need 
> for me to login at the server at the same time? Perhaps
the activity can be 
> logged into a file and I can read it later.
>
> Or is there is any other utility I can use just to
monitor user's activity 
> as the server is misused by a user previously and I
don't want it to happen 
> again in the future.

On recent FreeBSD versions, you can use the security event
auditing facility 
to log all programs run by the user.  This isn't quite the
same as all 
commands, as some commands are internal to the shell (i.e.,
"echo", "alias", 
"cd", etc), but would certainly give you a trail
of all substantive commands 
(editor sessions, etc).  Take a look at the FreeBSD handbook
chapter on audit. 
Make sure to set the policy flag to capture the full command
line, not just 
the command itself.

   http://www.freebsd.org/doc/en_US.ISO8859-1/b
ooks/handbook/audit.html

I use the following /etc/security/audit_control to configure
command line 
auditing on my shell boxes:

   dir:/var/audit
   flags:lo,+ex
   minfree:20
   naflags:lo,+ex
   policy:cnt,argv
   filesz:104857600

I also have audit_warn configured to compress the trails
when they are cycled, 
per the example in the chapter.  You can then use
auditreduce and praudit to 
select and print records in various forms.  If you're not
interested in 
auditing commands by all users, you can use the audit_user
config file to 
specify +ex auditing for just that one user.

Robert N M Watson
Computer Laboratory
University of Cambridge



>
> Best regards,
>
>
> -- 
> -- Anjang Aki --
> mailman.mscgmail.com
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
> To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
>
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"