Re: Logging User Activity

[Michelle Konzack]

Am 12:39 2003-05-14 -0500 hat Nathan E Norman geschrieben:
>
>On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote:
>> [ I wrote ]
>> > On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote:
>> > > Dear All,

>Well, where you log to is up to you, but that wasn't my question :-)
>
>What activity are you trying to log?  Activity on machines (user a ran
>this, consumed this much cpu time, etc.) or activity on the network
>(user b accessed this site, consumed this much bandwidth, etc.) ?
>
>The latter is far more difficult: how do you know that a packet was
>caused by user b's activity?

Where is the problem ??? 

I will asume, that user login only on the machine and not remotely... 

Ther is a Debian-Package which log the users login-time this can you 
redirect to a logging server. The login is loged with the machinename/IP. 

Then, you log the traffic with ipac and write a script, which compare 
the logfiles by time...

Now you have the users TCP/IP activity logged. 

I do this in my Secure-Network

have a nice day
Michelle

Re: Logging User Activity

[xbud]

On Wednesday 14 May 2003 10:23, Nathan E Norman wrote:
> On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote:
> > Dear All,
> >
> > Currently implementing a number of modifications to our internal security
> > policies and one addition I am attempting to add is the full logging of
> > user activity.
> >
> > I cannot find any simple way of achieving this within the standard doc's
> > and searching the web for "log user activity linux debian" does throw up
> > some not particularly useful links, including a package for filtering my
> > users output to the FBI, not much good for the UK.
> >
> > Can anyone point me in the right direction?
>
> Are you trying to log activity on machines or on the network?\
particularly good question ;)

My suggestion would be to consider both.
For network logging we can 'argue' about what 
sniffers/stream-assemblers/system-logging utils are the best so I won't get 
into it.  I would simply use syslog-ng and have everything sent over a tunnel 
with a signature to avoid spoofing, this would only work if your 'network 
logging' util is capable of using syslog-ng to save logs.
anyway, consider forcing the users to use a certain shell and have the shell 
log everything the users do a la keystroke granularity.

A solution may be to separate your users using what Sebastian suggested 
grsecurity.

Another solution would be to chroot all your users (but I generally think it's 
more of a pain and would simply piss off most of them). 
http://www.digitaloffense.net/chrsh/chrsh.c
http://www.g0thead.com/chrsh-user-setup.txt

-- 
--
Orlando Padilla
http://www.g0thead.com/xbud.asc
"I only drink to make other people interesting" 
--

Re: Logging User Activity

[Nathan E Norman]

On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote:
> [ I wrote ]
> > On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote:
> > > Dear All,
> > >
> > > Currently implementing a number of modifications to our internal security
> > > policies and one addition I am attempting to add is the full logging of
> > user
> > > activity.
> > >
> > > I cannot find any simple way of achieving this within the standard doc's
> > and
> > > searching the web for "log user activity linux debian" does throw up some
> > > not particularly useful links, including a package for filtering my users
> > > output to the FBI, not much good for the UK.
> > >
> > > Can anyone point me in the right direction?
> > 
> > Are you trying to log activity on machines or on the network?
>
> Hi Nathan,
> 
> Logging over the network would be ideal but to the machine if that is all
> that is available.

[ Let's keep this on the list, please ]

Well, where you log to is up to you, but that wasn't my question :-)

What activity are you trying to log?  Activity on machines (user a ran
this, consumed this much cpu time, etc.) or activity on the network
(user b accessed this site, consumed this much bandwidth, etc.) ?

The latter is far more difficult: how do you know that a packet was
caused by user b's activity?

-- 
Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED]
  Exhilaration is that feeling you get just after a great idea hits you,
  and just before you realize what's wrong with it.

Re: Logging User Activity

[Jamie Lawrence]

> On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote:
> > I cannot find any simple way of achieving this within the standard doc's and
> > searching the web for "log user activity linux debian" does throw up some
> > not particularly useful links, including a package for filtering my users
> > output to the FBI, not much good for the UK.

I missed the start of the thread, and apologize for not answering much.
But could you point me at that package? A quick googling didn't show
much obvious.

I'd be extremely interested in looking at what that package is actually
up to. I haven't heard much about this sort of thing going on in the
open source world.

-j

-- 
Jamie Lawrence[EMAIL PROTECTED]
Politics is the entertainment branch of industry. 
   - Frank Zappa

Re: Logging User Activity

[Lukas Ruf]

Michael,

> Michael Parkinson <[EMAIL PROTECTED]> [2003-05-14 17:27]:
>
> I cannot find any simple way of achieving this within the standard doc's and
> searching the web for "log user activity linux debian" does throw up some
> not particularly useful links, including a package for filtering my users
> output to the FBI, not much good for the UK.
> 
> Can anyone point me in the right direction?
> 

do you know already:
 ?

wbr,
Lukas
-- 
Lukas Ruf   | Wanna know anything about raw |
 | IP?     |

RE: Logging User Activity

[Christofer Olofsson]

Hi all!

How about enabling 'BSD Process Accounting' in the kernel 
and installing the 'acct' package.
This will give similar (or exact, haven't tried it myself)
functionality as the OpenBSD accounting with 'accton'
so that all user commands will be logged and then viewed
with 'lastcomm'.


.2 br, Christofer.


> -Original Message-
> From: Mark L. Kahnt [mailto:[EMAIL PROTECTED]
> Sent: den 14 maj 2003 17:45
> To: debian-security@lists.debian.org
> Subject: Re: Logging User Activity
> 
> 
> On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote:
> > Dear All,
> > 
> > Currently implementing a number of modifications to our 
> internal security
> > policies and one addition I am attempting to add is the 
> full logging of user
> > activity.
> 
> Are the users on the machine with shell accounts, X11 and the like, or
> passing through via ppp? There are different ways of doing things
> depending on the type of use, although the amount of detail specified
> for log files can usually cover some of what you want.
> > 
> > I cannot find any simple way of achieving this within the 
> standard doc's and
> > searching the web for "log user activity linux debian" does 
> throw up some
> > not particularly useful links, including a package for 
> filtering my users
> > output to the FBI, not much good for the UK.
> 
> I dunno - the FBI and CIA probably wouldn't object to some 
> more of that
> stuff gratuitously offered.
> > 
> > Can anyone point me in the right direction?
> > 
> > With thanks
> > 
> > Mike
> > 
> > 
> > http://www.ishop.co.uk/
> > Build on-line.
> > Buy online.
> > The only UK based complete e-commerce package.
> > 
> > Michael Parkinson BSc.(Hons)
> > Technical Director
> > Intellnet Limited
> > 5 Priors
> > London Road
> > Bishops Stortford
> > Herts
> > CM23 5ED
> > 
> > Phone : 01279 602800
> > DDI   : 01279 602805
> > Fax   : 01279 600815
> > Mobile  :   07770 380511
> > ICQ No. :   47666166
> > E-mail  :   [EMAIL PROTECTED]
> >   [EMAIL PROTECTED]
> > URL   :http://www.intellnet.net.uk/
> >   http://www.ishop.co.uk/
> > 
> -- 
> Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP
> ML Kahnt New Markets Consulting
> Tel: (613) 531-8684 / (613) 539-0935
> Email: [EMAIL PROTECTED]
> 

Re: Logging User Activity

[Nathan E Norman]

On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote:
> Dear All,
> 
> Currently implementing a number of modifications to our internal security
> policies and one addition I am attempting to add is the full logging of user
> activity.
> 
> I cannot find any simple way of achieving this within the standard doc's and
> searching the web for "log user activity linux debian" does throw up some
> not particularly useful links, including a package for filtering my users
> output to the FBI, not much good for the UK.
> 
> Can anyone point me in the right direction?

Are you trying to log activity on machines or on the network?

-- 
Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED]
  Q:  What's tiny and yellow and very, very, dangerous?
  A:  A canary with the super-user password.

Re: Logging User Activity

[Sebastian]

Am Mit, 2003-05-14 um 16.33 schrieb Michael Parkinson:
> Dear All,
> 
> Currently implementing a number of modifications to our internal security
> policies and one addition I am attempting to add is the full logging of user
> activity.

Are you sure that this is not violating your users' privacy?

But apart from political and legal issues - I suggest using the
grsecurity kernel patch (www.grsecurity.org). You can put all users that
you don't trust into a special audit group. Of course, you still have to
come up with a solution for secure remote logging (syslog is not an
option - some of your users could for example get the idea of sending
fake logs of other users doing nasty things to the remote logging
server...).

Sebastian

Re: Logging User Activity

[Mark L. Kahnt]

On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote:
> Dear All,
> 
> Currently implementing a number of modifications to our internal security
> policies and one addition I am attempting to add is the full logging of user
> activity.

Are the users on the machine with shell accounts, X11 and the like, or
passing through via ppp? There are different ways of doing things
depending on the type of use, although the amount of detail specified
for log files can usually cover some of what you want.
> 
> I cannot find any simple way of achieving this within the standard doc's and
> searching the web for "log user activity linux debian" does throw up some
> not particularly useful links, including a package for filtering my users
> output to the FBI, not much good for the UK.

I dunno - the FBI and CIA probably wouldn't object to some more of that
stuff gratuitously offered.
> 
> Can anyone point me in the right direction?
> 
> With thanks
> 
> Mike
> 
> 
> http://www.ishop.co.uk/
> Build on-line.
> Buy online.
> The only UK based complete e-commerce package.
> 
> Michael Parkinson BSc.(Hons)
> Technical Director
> Intellnet Limited
> 5 Priors
> London Road
> Bishops Stortford
> Herts
> CM23 5ED
> 
> Phone   : 01279 602800
> DDI : 01279 602805
> Fax : 01279 600815
> Mobile:   07770 380511
> ICQ No.   :   47666166
> E-mail:   [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> URL :http://www.intellnet.net.uk/
> http://www.ishop.co.uk/
> 
-- 
Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP
ML Kahnt New Markets Consulting
Tel: (613) 531-8684 / (613) 539-0935
Email: [EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part

Logging User Activity

[Michael Parkinson]

Dear All,

Currently implementing a number of modifications to our internal security
policies and one addition I am attempting to add is the full logging of user
activity.

I cannot find any simple way of achieving this within the standard doc's and
searching the web for "log user activity linux debian" does throw up some
not particularly useful links, including a package for filtering my users
output to the FBI, not much good for the UK.

Can anyone point me in the right direction?

With thanks

Mike


http://www.ishop.co.uk/
Build on-line.
Buy online.
The only UK based complete e-commerce package.

Michael Parkinson BSc.(Hons)
Technical Director
Intellnet Limited
5 Priors
London Road
Bishops Stortford
Herts
CM23 5ED

Phone : 01279 602800
DDI   : 01279 602805
Fax   : 01279 600815
Mobile  :   07770 380511
ICQ No. :   47666166
E-mail  :   [EMAIL PROTECTED]
  [EMAIL PROTECTED]
URL   :http://www.intellnet.net.uk/
  http://www.ishop.co.uk/