Re: Logging User Activity
On Wednesday 14 May 2003 10:23, Nathan E Norman wrote:
> On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote:
> > Dear All,
> >
> > Currently implementing a number of modifications to our internal security
> > policies and one addition I am attempting to add is the full logging of
> > user activity.
> >
> > I cannot find any simple way of achieving this within the standard doc's
> > and searching the web for "log user activity linux debian" does throw up
> > some not particularly useful links, including a package for filtering my
> > users output to the FBI, not much good for the UK.
> >
> > Can anyone point me in the right direction?
>
> Are you trying to log activity on machines or on the network?\
particularly good question ;)
My suggestion would be to consider both.
For network logging we can 'argue' about what
sniffers/stream-assemblers/system-logging utils are the best so I won't get
into it. I would simply use syslog-ng and have everything sent over a tunnel
with a signature to avoid spoofing, this would only work if your 'network
logging' util is capable of using syslog-ng to save logs.
anyway, consider forcing the users to use a certain shell and have the shell
log everything the users do a la keystroke granularity.
A solution may be to separate your users using what Sebastian suggested
grsecurity.
Another solution would be to chroot all your users (but I generally think it's
more of a pain and would simply piss off most of them).
http://www.digitaloffense.net/chrsh/chrsh.c
http://www.g0thead.com/chrsh-user-setup.txt
--
------------------------------
Orlando Padilla
http://www.g0thead.com/xbud.asc
"I only drink to make other people interesting"
------------------------------
Reply to: