washoutt
asked on
Log a user's activity
Is there any way in which I can log a specific user's activity? I've got a user, of the group user, login name user1. I want to log everything this user types in a file only accessible by root, and (if possible) all the output this user receives.
I don't know of any built in way to do that. It sounds like you suspect this user of some sort of improper activity and if I knew a bit more about the situation I might be able to suggest alternatives.
If this is just for idle curiosity, then what you're planning to do is unethical, and if you did it to me I'd kick your ass. If this is a security issue, you should read the Security-HOWTO at
http://howto.tucows.com/LDP/HOWTO/Security-HOWTO.html
http://howto.tucows.com/LDP/HOWTO/Security-HOWTO.html
The file named .bash_history under the user's home directory logs everything the user types. It's the file responsible for the feature that allow you to press the up arrow and see the other command lines you've typed before, even after a shutdown. That doesn't stay in the RAM like in DOSKEY.
So all you'd have to do is to create a script that would make a copy of that file of the user to be watched and add this script on the crontab to be run regularly. This way you'd keep an updated copy of it say every minute.
To log the output the user get in the screen would be much harder, I really don't know how to do that. I don't think it's possible, also. But I think you can judge the user's actions from it's commands.
Good luck!
So all you'd have to do is to create a script that would make a copy of that file of the user to be watched and add this script on the crontab to be run regularly. This way you'd keep an updated copy of it say every minute.
To log the output the user get in the screen would be much harder, I really don't know how to do that. I don't think it's possible, also. But I think you can judge the user's actions from it's commands.
Good luck!
There is a superb program called "script" which gives you an entire transcript of everything that the user does. It is part of a package called util-linux-2.9w-24. Just check it out.
Turning "history" on is a common thing for sysadmins to do if they suspect a user. The exact setting is different depending on what shell the user is using. (the last item on his line in /etc/passwd file, or doing a "fiinger" on his login may tell you) But history only shows what the person types.
If you really want to see what he gets back then you might try putting a "tee" command into his login file to pipe all of his stuff to a file and back to his console at the same time.
If he is hacking you its much easier (and more fun) to find a sniffer he leaves running and use his own snif logs against him. :-)
Gandalf Parker
If you really want to see what he gets back then you might try putting a "tee" command into his login file to pipe all of his stuff to a file and back to his console at the same time.
If he is hacking you its much easier (and more fun) to find a sniffer he leaves running and use his own snif logs against him. :-)
Gandalf Parker
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Additional info....
Be aware that your typing into the other user's tty using ttysnoop will show on HIS/HER tty. This way you get control on his tty...
Also, they can see (if they're kinda proficient in Linux /Unix) that they can be snooped by typing
$ps aux
They'll see the in.ttysnoop (or the name of the daemon) instead of if.telnetd..anyway they're unable to tell if they're being snooped, but they can see it's enabled in the server.
Hugonz
Be aware that your typing into the other user's tty using ttysnoop will show on HIS/HER tty. This way you get control on his tty...
Also, they can see (if they're kinda proficient in Linux /Unix) that they can be snooped by typing
$ps aux
They'll see the in.ttysnoop (or the name of the daemon) instead of if.telnetd..anyway they're unable to tell if they're being snooped, but they can see it's enabled in the server.
Hugonz