Access Log files,

Hi there,

I created a user say call Test , here is what he did

say the test go to directory /etc
cd /etc
vi passwd

Is it possible as a admin to know that the user test went to directory called /etc? I knew they keep it in .bash_history  in every directory of home user, but the thing is the user can delete those file , so we don't have any record about the log.
Is it possibe to know ? 1. using all the functionality that come up standard  Linux or Sun OS
                                 2. or maybe is there any additional software that you know to see what the user open ?


wilslmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chris_calabreseCommented:
The only way you can know for sure exactly what each user did is to turn on Kernel System Call Auditing.
The Center for Internet Security (www.cisecurity.org) has OS-specific Benchmark documents that tell you how to do this.
Warning: Kernel System Call Auditing will affect system performance and use a lot of disk space.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chris_calabreseCommented:
Oh yeah, you can also try System Accounting, which has much less impact on the system than System Call Auditing. But it only captures shell-commands, not things done from inside a program (like inside a vi session)
0
learathCommented:
It is not possible with the standard logging on most unix systems.  You would want to consider some sort of accounting program to do this one of which is http://secureaudit.sourceforge.net/.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

StevenSimCommented:
You can make use of Expect scripting to perform full logging of all keystrokes and output (including curses output). The script can be called from your system profiles. I have seen it in use. Unfortunately I do not have the script with me off-hand. The downside is that logs are huge.

I think what is most important is that your /etc/passwd has proper read-only permissions. If finer grained access is required, then use ACLs. Ultimately, since encrypted passwords are stored in the shadow files, read access of /etc/passwd is very much harmless.
0
ahoffmannCommented:
Chris knows to hide, don't tell the world, they won't use vi anymore ;-))

To jail a user shell's history depends on the shell.
In tcsh you can use /etc/csh.cshrc and set the histfile variable read-only, then in /etc/csh.logout copy the history to a save file.
AFAIK it works similar in bash.
This might not be very exact (as chris_calabrese already explained), but is a quick&dirty hack to catch the most.
0
wilslmAuthor Commented:
Thx guys for the input...
I recalled that when I did my first year uni .. I love using "Pico"
My instructor then came to me ... said "you should try to learn VI" (that was in University of Melbourne 1996)

Now in U.S ... I asked the techincal support regarding "Vi"
and he replied " Iam surprise that there is somone still using Vi"
(Univeristy of Michigan - Ann Arbor)

=-Life is changed-=

enjoy:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.