Re: Logging User Activity
Am 12:39 2003-05-14 -0500 hat Nathan E Norman geschrieben: On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote: [ I wrote ] On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Well, where you log to is up to you, but that wasn't my question :-) What activity are you trying to log? Activity on machines (user a ran this, consumed this much cpu time, etc.) or activity on the network (user b accessed this site, consumed this much bandwidth, etc.) ? The latter is far more difficult: how do you know that a packet was caused by user b's activity? Where is the problem ??? I will asume, that user login only on the machine and not remotely... Ther is a Debian-Package which log the users login-time this can you redirect to a logging server. The login is loged with the machinename/IP. Then, you log the traffic with ipac and write a script, which compare the logfiles by time... Now you have the users TCP/IP activity logged. I do this in my Secure-Network have a nice day Michelle
Re: Logging User Activity
On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are the users on the machine with shell accounts, X11 and the like, or passing through via ppp? There are different ways of doing things depending on the type of use, although the amount of detail specified for log files can usually cover some of what you want. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I dunno - the FBI and CIA probably wouldn't object to some more of that stuff gratuitously offered. Can anyone point me in the right direction? With thanks Mike http://www.ishop.co.uk/ Build on-line. Buy online. The only UK based complete e-commerce package. Michael Parkinson BSc.(Hons) Technical Director Intellnet Limited 5 Priors London Road Bishops Stortford Herts CM23 5ED Phone : 01279 602800 DDI : 01279 602805 Fax : 01279 600815 Mobile: 07770 380511 ICQ No. : 47666166 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] URL :http://www.intellnet.net.uk/ http://www.ishop.co.uk/ -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Logging User Activity
Am Mit, 2003-05-14 um 16.33 schrieb Michael Parkinson: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are you sure that this is not violating your users' privacy? But apart from political and legal issues - I suggest using the grsecurity kernel patch (www.grsecurity.org). You can put all users that you don't trust into a special audit group. Of course, you still have to come up with a solution for secure remote logging (syslog is not an option - some of your users could for example get the idea of sending fake logs of other users doing nasty things to the remote logging server...). Sebastian
Re: Logging User Activity
On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Q: What's tiny and yellow and very, very, dangerous? A: A canary with the super-user password.
RE: Logging User Activity
Hi all! How about enabling 'BSD Process Accounting' in the kernel and installing the 'acct' package. This will give similar (or exact, haven't tried it myself) functionality as the OpenBSD accounting with 'accton' so that all user commands will be logged and then viewed with 'lastcomm'. .2 br, Christofer. -Original Message- From: Mark L. Kahnt [mailto:[EMAIL PROTECTED] Sent: den 14 maj 2003 17:45 To: debian-security@lists.debian.org Subject: Re: Logging User Activity On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are the users on the machine with shell accounts, X11 and the like, or passing through via ppp? There are different ways of doing things depending on the type of use, although the amount of detail specified for log files can usually cover some of what you want. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I dunno - the FBI and CIA probably wouldn't object to some more of that stuff gratuitously offered. Can anyone point me in the right direction? With thanks Mike http://www.ishop.co.uk/ Build on-line. Buy online. The only UK based complete e-commerce package. Michael Parkinson BSc.(Hons) Technical Director Intellnet Limited 5 Priors London Road Bishops Stortford Herts CM23 5ED Phone : 01279 602800 DDI : 01279 602805 Fax : 01279 600815 Mobile : 07770 380511 ICQ No. : 47666166 E-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] URL :http://www.intellnet.net.uk/ http://www.ishop.co.uk/ -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED]
Re: Logging User Activity
Michael, Michael Parkinson [EMAIL PROTECTED] [2003-05-14 17:27]: I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? do you know already: http://www.debian.org/doc/manuals/securing-debian-howto ? wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? http://www.rawip.org |
Re: Logging User Activity
On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I missed the start of the thread, and apologize for not answering much. But could you point me at that package? A quick googling didn't show much obvious. I'd be extremely interested in looking at what that package is actually up to. I haven't heard much about this sort of thing going on in the open source world. -j -- Jamie Lawrence[EMAIL PROTECTED] Politics is the entertainment branch of industry. - Frank Zappa
Re: Logging User Activity
On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote: [ I wrote ] On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network? Hi Nathan, Logging over the network would be ideal but to the machine if that is all that is available. [ Let's keep this on the list, please ] Well, where you log to is up to you, but that wasn't my question :-) What activity are you trying to log? Activity on machines (user a ran this, consumed this much cpu time, etc.) or activity on the network (user b accessed this site, consumed this much bandwidth, etc.) ? The latter is far more difficult: how do you know that a packet was caused by user b's activity? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Exhilaration is that feeling you get just after a great idea hits you, and just before you realize what's wrong with it.
Re: Logging User Activity
On Wednesday 14 May 2003 10:23, Nathan E Norman wrote: On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network?\ particularly good question ;) My suggestion would be to consider both. For network logging we can 'argue' about what sniffers/stream-assemblers/system-logging utils are the best so I won't get into it. I would simply use syslog-ng and have everything sent over a tunnel with a signature to avoid spoofing, this would only work if your 'network logging' util is capable of using syslog-ng to save logs. anyway, consider forcing the users to use a certain shell and have the shell log everything the users do a la keystroke granularity. A solution may be to separate your users using what Sebastian suggested grsecurity. Another solution would be to chroot all your users (but I generally think it's more of a pain and would simply piss off most of them). http://www.digitaloffense.net/chrsh/chrsh.c http://www.g0thead.com/chrsh-user-setup.txt -- -- Orlando Padilla http://www.g0thead.com/xbud.asc I only drink to make other people interesting --