Solved

Access Log files,

Posted on 2003-10-29
6
1,062 Views
Last Modified: 2010-04-22
Hi there,

I created a user say call Test , here is what he did

say the test go to directory /etc
cd /etc
vi passwd

Is it possible as a admin to know that the user test went to directory called /etc? I knew they keep it in .bash_history  in every directory of home user, but the thing is the user can delete those file , so we don't have any record about the log.
Is it possibe to know ? 1. using all the functionality that come up standard  Linux or Sun OS
                                 2. or maybe is there any additional software that you know to see what the user open ?


0
Comment
Question by:wilslm
6 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 225 total points
Comment Utility
The only way you can know for sure exactly what each user did is to turn on Kernel System Call Auditing.
The Center for Internet Security (www.cisecurity.org) has OS-specific Benchmark documents that tell you how to do this.
Warning: Kernel System Call Auditing will affect system performance and use a lot of disk space.
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 225 total points
Comment Utility
Oh yeah, you can also try System Accounting, which has much less impact on the system than System Call Auditing. But it only captures shell-commands, not things done from inside a program (like inside a vi session)
0
 
LVL 1

Assisted Solution

by:learath
learath earned 100 total points
Comment Utility
It is not possible with the standard logging on most unix systems.  You would want to consider some sort of accounting program to do this one of which is http://secureaudit.sourceforge.net/.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Assisted Solution

by:StevenSim
StevenSim earned 75 total points
Comment Utility
You can make use of Expect scripting to perform full logging of all keystrokes and output (including curses output). The script can be called from your system profiles. I have seen it in use. Unfortunately I do not have the script with me off-hand. The downside is that logs are huge.

I think what is most important is that your /etc/passwd has proper read-only permissions. If finer grained access is required, then use ACLs. Ultimately, since encrypted passwords are stored in the shadow files, read access of /etc/passwd is very much harmless.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
Chris knows to hide, don't tell the world, they won't use vi anymore ;-))

To jail a user shell's history depends on the shell.
In tcsh you can use /etc/csh.cshrc and set the histfile variable read-only, then in /etc/csh.logout copy the history to a save file.
AFAIK it works similar in bash.
This might not be very exact (as chris_calabrese already explained), but is a quick&dirty hack to catch the most.
0
 

Author Comment

by:wilslm
Comment Utility
Thx guys for the input...
I recalled that when I did my first year uni .. I love using "Pico"
My instructor then came to me ... said "you should try to learn VI" (that was in University of Melbourne 1996)

Now in U.S ... I asked the techincal support regarding "Vi"
and he replied " Iam surprise that there is somone still using Vi"
(Univeristy of Michigan - Ann Arbor)

=-Life is changed-=

enjoy:)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now