Summary: Logging all user activity.

From: Peter <fbsdq_at_yahoo.com>
Date: Thu May 17 2001 - 16:59:23 EDT
Thanks to a lot of people including:

Neill, Mark
Julian, John
Thomas, Knox
Daniel, Tate
and others.

........Original Question at the bottom......................

...Julian:...
he can move his .profile because he has write permission in his home dir. 
Moving, deleting files only require write perms on the dir. 
.../Julian...

Consensus was:

...Daniel...
Enable logging. 
 
1 - touch /var/adm/pact as root 
2 - /etc/init.d/acct start 
 
the command to use is 'lastcomm' 
.../Daniel...

...Thomas...
In sshd_config: 
 
ssh2 and OpenSSH: 
SyslogFacility AUTH 
LogLevel DEBUG 
 
ssh1: 
FacistLogging YES 

restart ssh:  "sshd -e 2>/my/log/file". 

That will send all logging to /my/log/file and not to the 
syslog. 
 
Careful, these logs can get BIG. I'd suggest using logrotate to manage 
them. 
.../Thomas...

[Above Quoted directly more or less]

	Basically the consensus was that I enable the Solaris built in accounting features --
'man acct' which would probably solve my prolem but is more trouble than its worth.
	SSH accounting features seem to be the next best thing, but those don't
discriminate between users, so the log file would grow to be very big very fast :p.
	Another thing I could do is recompile 'script', which I think is the best answer.
If I had gcc installed on here, I would recompile it so that it is quiet, hence user
has no idea he is being logged unless he does 'ps -ef' or 'lsof' or 'cat .profile' -- 
I doubt he will think that if he doesn't suspect anything.  
	Since this is a small intranet DB server for our office, the SSH answer is right now
the easiest and best solution, but for anyone else with lots of users, recompiling 'script'
would be the best way to log someone -- 'Script' will only fool a newbie, but won't fool
just about anyone else that runs 'ps' or customizes his .profile, this is where SSH and
the Solaris acct features come into play and will work better.


www.nul.cjb.net
www.FreeBSD.org



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


Received on Thu May 17 21:59:23 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:55 EDT