Solved

Access Log files,

Posted on 2003-10-29
6
1,076 Views
Last Modified: 2010-04-22
Hi there,

I created a user say call Test , here is what he did

say the test go to directory /etc
cd /etc
vi passwd

Is it possible as a admin to know that the user test went to directory called /etc? I knew they keep it in .bash_history  in every directory of home user, but the thing is the user can delete those file , so we don't have any record about the log.
Is it possibe to know ? 1. using all the functionality that come up standard  Linux or Sun OS
                                 2. or maybe is there any additional software that you know to see what the user open ?


0
Comment
Question by:wilslm
6 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 225 total points
ID: 9645965
The only way you can know for sure exactly what each user did is to turn on Kernel System Call Auditing.
The Center for Internet Security (www.cisecurity.org) has OS-specific Benchmark documents that tell you how to do this.
Warning: Kernel System Call Auditing will affect system performance and use a lot of disk space.
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 225 total points
ID: 9645970
Oh yeah, you can also try System Accounting, which has much less impact on the system than System Call Auditing. But it only captures shell-commands, not things done from inside a program (like inside a vi session)
0
 
LVL 1

Assisted Solution

by:learath
learath earned 100 total points
ID: 9645984
It is not possible with the standard logging on most unix systems.  You would want to consider some sort of accounting program to do this one of which is http://secureaudit.sourceforge.net/.
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 

Assisted Solution

by:StevenSim
StevenSim earned 75 total points
ID: 9649673
You can make use of Expect scripting to perform full logging of all keystrokes and output (including curses output). The script can be called from your system profiles. I have seen it in use. Unfortunately I do not have the script with me off-hand. The downside is that logs are huge.

I think what is most important is that your /etc/passwd has proper read-only permissions. If finer grained access is required, then use ACLs. Ultimately, since encrypted passwords are stored in the shadow files, read access of /etc/passwd is very much harmless.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
ID: 9662709
Chris knows to hide, don't tell the world, they won't use vi anymore ;-))

To jail a user shell's history depends on the shell.
In tcsh you can use /etc/csh.cshrc and set the histfile variable read-only, then in /etc/csh.logout copy the history to a save file.
AFAIK it works similar in bash.
This might not be very exact (as chris_calabrese already explained), but is a quick&dirty hack to catch the most.
0
 

Author Comment

by:wilslm
ID: 9663815
Thx guys for the input...
I recalled that when I did my first year uni .. I love using "Pico"
My instructor then came to me ... said "you should try to learn VI" (that was in University of Melbourne 1996)

Now in U.S ... I asked the techincal support regarding "Vi"
and he replied " Iam surprise that there is somone still using Vi"
(Univeristy of Michigan - Ann Arbor)

=-Life is changed-=

enjoy:)
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question