Yup, On 22-Nov-01 Praise wrote:
Il 18:37, gioved� 22 novembre 2001, Boris Lorenz ha scritto:
Yup,
On 22-Nov-01 Lentila de Vultur wrote:
I have a user that after logging on to a machine is presented with a menu (a script called from .profile). I want to log every action that user performs and every output from the system. I tried with "script" command but I didn't succeeded. has anyone any idea?
use a keystroke sniffer (like ttysnoop, use google to find it), or maxty (available from securityfocus's tools section), which is a loadable kernel module. Both are nice to use. But it's a nasty thing to spy on local users unless you have a very good reason to do so... :p
What about if they login from remote? Should we sniff all network packets or there is a better choice?
If you install a tty sniffer/keystroke recorder, it will record any commands executed/keys pressed if a user is logged in via console or virtual terminal, i.e. regardless wether the user logs in remotely or locally. If you also want to log the traffic the user generates, you may use generic tools like tcpdump or the like. IMO this method is questionable for a real 24/7 logging; the amount of log data you will have to cope with will be enormous, be warned. Remember, too much information equals no information... ;) Again, please don't exaggerate your local logging/sniffing. I know at least one (German) admin whose derriere got legally ripped big time after it turned out that he logged and stored sensitive individual user data, including passwords, email contacts, transcripts of faximiles, a log of visited web sites (including any POST data), transcripts of IRC chats, and so forth. Now that's what I call fascist logging...
Praise
Take care, Boris Lorenz <bolo@lupa.de> ---