| SHARE: |
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - LOGGING USERS CONSOLE - █▌
█▌ █▌
█ ▐▌
█ Listed here are a few methods to keep an audit of your users by logging ▐▌
█ user's shell console. ▐▌
█ Keep in mind that the methods below for bash are not impossible to bypass, ▐▌
█ as clever users can find ways around this. ▐▌
█ ▐▌
█ LOG EVERYTHING ON A USER'S CONSOLE: ▐▌
█ ``````````````````````````````````` ▐▌
█ 1. Log 'everything' on a users console - input/output: ▐▌
█ I recommend testing this on a test user first - create one if needed. ▐▌
█ Make modifications to suit your needs. ▐▌
█ Find the location of your bash, if different than below adjust the top ▐▌
█ line in the script to match: ▐▌
█ which bash ▐▌
█ Create the script, naming it anything you like: ▐▌
█ pico audit_user.sh ▐▌
█ Paste this in, changing 'user' to the user's name where you want the log ▐▌
█ saved, or entire path to save log; keep in mind that user has to have ▐▌
█ permission to access that path: ▐▌
█ #!/bin/bash ▐▌
█ SHELL=/bin/bash -aq /home/user/audit.log ▐▌
█ ▐▌
█ Or if you have a customized MOTD, add the MOTD script to audit_user.sh or ▐▌
█ they won't have any MOTD when the login, for example: ▐▌
█ #!/bin/bash ▐▌
█ SHELL=/bin/bash && /etc/motd.tcl && script -aq /home/user/audit.log ▐▌
█ ▐▌
█ Set perms on the script: ▐▌
█ chmod 755 audit.sh ▐▌
█ ▐▌
█ Add the script to the user you want to log the console of: ▐▌
█ su ▐▌
█ pico /etc/passwd ▐▌
█ For example to add the script to user dog, mine has this: ▐▌
█ dog:x:1000:1000:,,,:/home/dog:/bin/bash ▐▌
█ Replace /bin/bash with the script: ▐▌
█ dog:x:1000:1000:,,,:/home/dog:/home/dog/audit_user.sh ▐▌
█ ▐▌
█ So now each time dog logins his login will read audit_user.sh first, which ▐▌
█ will tell it to log the console to audit.log. Just like .bash_history, ▐▌
█ this won't be logged to audit.log until the user logs out. ▐▌
█ ▐▌
█ To view it: ▐▌
█ pico audit.log ▐▌
█ ▐▌
█ HACK BASH SOURCE CODE: ▐▌
█ `````````````````````` ▐▌
█ 1. Alter bash source code so that all user's cmds will be logged in ▐▌
█ /var/log HERE, scroll down to 'iv. Hacking bash - interfacing with ▐▌
█ syslog'. ▐▌
█ ▐▌
█ VIEW ANOTHER USER'S CONSOLE LIVE: ▐▌
█ ````````````````````````````````` ▐▌
█ 1. VCS: ▐▌
█ Use vcs which is included with Debian, virtual console memory: man vcs or ▐▌
█ view the man page HERE. ▐▌
█ http://linux.die.net/man/4/vcs ▐▌
█ ▐▌
█ 2. TTY: ▐▌
█ Use their tty number to view live cmds executed. Find their tty by number ▐▌
█ entering: ▐▌
█ w ▐▌
█ Output similar to: ▐▌
█ dog pts/7 ▐▌
█ So dog tty number is 7, so then: ▐▌
█ su ▐▌
█ cat </dev/pts/7 ▐▌
█ Or you could send it to a log: ▐▌
█ cat /dev/pts/7 > tty7.log ▐▌
█ To view the log: ▐▌
█ pico tty7.log ▐▌
█ Note: Using cat I noticed some of the cmds executed on my own terminal. ▐▌
█ cat will quit when the user logs out. ▐▌
█ ▐▌
█ Problems I noted with this method: ▐▌
█ It lagged the user's bash session tremendously and messes up characters ▐▌
█ the user types in. ▐▌
█ If the user was to: ps au ▐▌
█ She/he will be able to view it running: ▐▌
█ root 20588 0.0 0.0 3020 484 pts/6 S+ 05:03 0:00 cat ▐▌
█ Or if logging: ▐▌
█ root 20588 0.0 0.0 3020 484 pts/6 S+ 05:03 0:00 cat /dev/pts/7 ▐▌
█ ▐▌
█ 3. TTYSNOOP: ▐▌
█ And this might be where ttysnoop would fix those problems. It hasn't been ▐▌
█ updated in a long time-2001, nor have I tried it myself. ttysnoop site ▐▌
█ is HERE, read the man page HERE. ▐▌
█ aptitude update ▐▌
█ aptitude install ttysnoop ▐▌
█ Some usage information HERE. ▐▌
█ ▐▌
█ 4. SUDOSH2: ▐▌
█ sudosh2 works like VCS to record shell sessions. The website is HERE, ▐▌
█ project page HERE, view the man page HERE. ▐▌
█ You'll need sudo to use sudosh. sudo is not installed by default on ▐▌
█ Debian. Test if you have it: ▐▌
█ sudo ▐▌
█ If output is: bash: sudo: command not found ▐▌
█ Then view my sudo page HERE. ▐▌
█ ▐▌
█ Check the site for the latest v of sudosh2. (I did notice there is a link ▐▌
█ to sudosh3 on the project page, different author). ▐▌
█ wget http://biznetnetworks.dl.sourceforge.net/project/sudosh2/v1.0.3/sudosh2-1.0.3.tar.gz
█ tar xvzf sudosh2-1.0.3.tar.gz ▐▌
█ cd sudosh2-1.0.3 ▐▌
█ ./configure ▐▌
█ make ▐▌
█ su ▐▌
█ make install ▐▌
█ cat README ▐▌
█ And take if from there.. such as: ▐▌
█ sudosh -i ▐▌
█ Some more configuration info HERE. ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 20 Jul '10 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██