[NTLUG:Discuss] Monitor user's activity
Kelledin
kelledin+NTLUG at skarpsey.dyndns.org
Wed Apr 14 19:07:24 CDT 2004
On Wednesday 14 April 2004 05:39 pm, David Ross wrote:
> "if you want to log users shell history and otherwise tighten
> up security I would recommend setting the configuration files
> in the user's home directory to immutable using the chattr
> command, and set the log files (such as .bash_history) to
> append only. Doing this however opens up some legal issues, so
> make sure your users are aware they are being logged and have
> agreed to it, otherwise you could get into trouble."
Even that can be defeated, though, if the user just sets
HISTSIZE=0 in his environment when he gets a shell up. Or who
knows--he may just compile a custom shell without history
logging and exec it when he logs in. He's just got too many
ways to get around locked config files.
For more reliable tracking of user action, you might try
full-blown process accounting. See this guide for Linux:
http://www.userlocal.com/security/seclogging.php
Note that it will give you a LOT of logged info from this. In a
common multiuser setting, you'll get outright swamped unless you
use logrotate.
For Solaris, see this guide:
http://security.uchicago.edu/unix/solaris/procacct.html
Same caveats--you will get tons of logged info. There's a good
chance that logrotate will work on Solaris, but I've never tried
it.
And, of course, same privacy issues apply.
--
Kelledin
"If a server crashes in a server farm and no one pings it, does
it still cost four figures to fix?"
More information about the Discuss
mailing list