On Wednesday 14 May 2003 10:23, Nathan E Norman wrote: > On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: > > Dear All, > > > > Currently implementing a number of modifications to our internal security > > policies and one addition I am attempting to add is the full logging of > > user activity. > > > > I cannot find any simple way of achieving this within the standard doc's > > and searching the web for "log user activity linux debian" does throw up > > some not particularly useful links, including a package for filtering my > > users output to the FBI, not much good for the UK. > > > > Can anyone point me in the right direction? > > Are you trying to log activity on machines or on the network?\ particularly good question ;)
My suggestion would be to consider both. For network logging we can 'argue' about what sniffers/stream-assemblers/system-logging utils are the best so I won't get into it. I would simply use syslog-ng and have everything sent over a tunnel with a signature to avoid spoofing, this would only work if your 'network logging' util is capable of using syslog-ng to save logs. anyway, consider forcing the users to use a certain shell and have the shell log everything the users do a la keystroke granularity. A solution may be to separate your users using what Sebastian suggested grsecurity. Another solution would be to chroot all your users (but I generally think it's more of a pain and would simply piss off most of them). http://www.digitaloffense.net/chrsh/chrsh.c http://www.g0thead.com/chrsh-user-setup.txt -- ------------------------------ Orlando Padilla http://www.g0thead.com/xbud.asc "I only drink to make other people interesting" ------------------------------
