?
Solved

Access Log files,

Posted on 2003-10-29
6
Medium Priority
?
1,082 Views
Last Modified: 2010-04-22
Hi there,

I created a user say call Test , here is what he did

say the test go to directory /etc
cd /etc
vi passwd

Is it possible as a admin to know that the user test went to directory called /etc? I knew they keep it in .bash_history  in every directory of home user, but the thing is the user can delete those file , so we don't have any record about the log.
Is it possibe to know ? 1. using all the functionality that come up standard  Linux or Sun OS
                                 2. or maybe is there any additional software that you know to see what the user open ?


0
Comment
Question by:wilslm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 900 total points
ID: 9645965
The only way you can know for sure exactly what each user did is to turn on Kernel System Call Auditing.
The Center for Internet Security (www.cisecurity.org) has OS-specific Benchmark documents that tell you how to do this.
Warning: Kernel System Call Auditing will affect system performance and use a lot of disk space.
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 900 total points
ID: 9645970
Oh yeah, you can also try System Accounting, which has much less impact on the system than System Call Auditing. But it only captures shell-commands, not things done from inside a program (like inside a vi session)
0
 
LVL 1

Assisted Solution

by:learath
learath earned 400 total points
ID: 9645984
It is not possible with the standard logging on most unix systems.  You would want to consider some sort of accounting program to do this one of which is http://secureaudit.sourceforge.net/.
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Assisted Solution

by:StevenSim
StevenSim earned 300 total points
ID: 9649673
You can make use of Expect scripting to perform full logging of all keystrokes and output (including curses output). The script can be called from your system profiles. I have seen it in use. Unfortunately I do not have the script with me off-hand. The downside is that logs are huge.

I think what is most important is that your /etc/passwd has proper read-only permissions. If finer grained access is required, then use ACLs. Ultimately, since encrypted passwords are stored in the shadow files, read access of /etc/passwd is very much harmless.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 400 total points
ID: 9662709
Chris knows to hide, don't tell the world, they won't use vi anymore ;-))

To jail a user shell's history depends on the shell.
In tcsh you can use /etc/csh.cshrc and set the histfile variable read-only, then in /etc/csh.logout copy the history to a save file.
AFAIK it works similar in bash.
This might not be very exact (as chris_calabrese already explained), but is a quick&dirty hack to catch the most.
0
 

Author Comment

by:wilslm
ID: 9663815
Thx guys for the input...
I recalled that when I did my first year uni .. I love using "Pico"
My instructor then came to me ... said "you should try to learn VI" (that was in University of Melbourne 1996)

Now in U.S ... I asked the techincal support regarding "Vi"
and he replied " Iam surprise that there is somone still using Vi"
(Univeristy of Michigan - Ann Arbor)

=-Life is changed-=

enjoy:)
0

Featured Post

Congratulations! You’re Certified – Now What?

Starting a new career can be overwhelming. Becoming certified in your field of expertise is a great start, but where do you go from here?  Here are some tips to help you on your career journey.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question