[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1088
  • Last Modified:

Access Log files,

Hi there,

I created a user say call Test , here is what he did

say the test go to directory /etc
cd /etc
vi passwd

Is it possible as a admin to know that the user test went to directory called /etc? I knew they keep it in .bash_history  in every directory of home user, but the thing is the user can delete those file , so we don't have any record about the log.
Is it possibe to know ? 1. using all the functionality that come up standard  Linux or Sun OS
                                 2. or maybe is there any additional software that you know to see what the user open ?


0
wilslm
Asked:
wilslm
5 Solutions
 
chris_calabreseCommented:
The only way you can know for sure exactly what each user did is to turn on Kernel System Call Auditing.
The Center for Internet Security (www.cisecurity.org) has OS-specific Benchmark documents that tell you how to do this.
Warning: Kernel System Call Auditing will affect system performance and use a lot of disk space.
0
 
chris_calabreseCommented:
Oh yeah, you can also try System Accounting, which has much less impact on the system than System Call Auditing. But it only captures shell-commands, not things done from inside a program (like inside a vi session)
0
 
learathCommented:
It is not possible with the standard logging on most unix systems.  You would want to consider some sort of accounting program to do this one of which is http://secureaudit.sourceforge.net/.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
StevenSimCommented:
You can make use of Expect scripting to perform full logging of all keystrokes and output (including curses output). The script can be called from your system profiles. I have seen it in use. Unfortunately I do not have the script with me off-hand. The downside is that logs are huge.

I think what is most important is that your /etc/passwd has proper read-only permissions. If finer grained access is required, then use ACLs. Ultimately, since encrypted passwords are stored in the shadow files, read access of /etc/passwd is very much harmless.
0
 
ahoffmannCommented:
Chris knows to hide, don't tell the world, they won't use vi anymore ;-))

To jail a user shell's history depends on the shell.
In tcsh you can use /etc/csh.cshrc and set the histfile variable read-only, then in /etc/csh.logout copy the history to a save file.
AFAIK it works similar in bash.
This might not be very exact (as chris_calabrese already explained), but is a quick&dirty hack to catch the most.
0
 
wilslmAuthor Commented:
Thx guys for the input...
I recalled that when I did my first year uni .. I love using "Pico"
My instructor then came to me ... said "you should try to learn VI" (that was in University of Melbourne 1996)

Now in U.S ... I asked the techincal support regarding "Vi"
and he replied " Iam surprise that there is somone still using Vi"
(Univeristy of Michigan - Ann Arbor)

=-Life is changed-=

enjoy:)
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now