Have you tried using process accounting?bbzz said:Hi guys.
What would be the best way to record user shell activity, that is, whatever each user types in the console, even if logged to another box, needs to be recorded in a file. Is there an application which would do just that ?
Kind Regards
Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands.
This indeed has both positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section walks an administrator through the basics of process accounting.
# touch /var/account/acct
# chmod 600 /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
bbzz said:Hi guys.
What would be the best way to record user shell activity, that is, whatever each user types in the console, even if logged to another box, needs to be recorded in a file. Is there an application which would do just that ?
Kind Regards
script nsa.log
watch ttyp5
#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Date: `date`"
echo "Server: `uname -a`"
} >> /var/log/user_logins.txt
session optional pam_exec.so /usr/local/bin/notify-login
#!/bin/sh
user=$PAM_USER
tty_line=$(/usr/bin/w -h | head -n1 | awk '{print $2}')
echo $user > /tmp/test.000
echo $tty_line >> /tmp/test.000
watch $tty_line &
script -a /var/log/siu_user_log/$user.log &