Re: monitoring shell commands (recording username/cmd/time)

From: Jez Hancock (jez.hancock_at_munk.nu)
Date: 06/18/04

Next message: Artyom Viklenko: "Re: monitoring shell commands (recording username/cmd/time)"

Previous message: Rafael B Albuquerque: "Re: update to 4.10 via ssh"
In reply to: Andrew Nelson: "monitoring shell commands (recording username/cmd/time)"
Next in thread: Artyom Viklenko: "Re: monitoring shell commands (recording username/cmd/time)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 18 Jun 2004 08:25:56 +0100
To: Andrew Nelson <andrew__nelson@hotmail.com>

On Fri, Jun 18, 2004 at 01:22:50PM +1000, Andrew Nelson wrote:
> I'm wondering if there is a version of bash or tcsh that logs all commands
> to a file with username and time? I've tried Sudo, but it's not all that
> practical for my purpose (I'm not that interested in restricting access,
> just
> seeing who has done what at which time...) Can anyone help?

There's a kernel module called 'lrexec' that logs all system calls
executed to syslogd. I configured it a while ago for my system and
wrote up a short comment on it here:

http://jez.han***-family.com/archives/112_Installed_and_Configured_lrexec_module_For_Logging_System_Calls.html

The 'parent' site for the lrexec module is on sourceforge and goes under
the name 'Cerber':

http://cerber.sourceforge.net/

The lrexec module was originally a standalone piece of code by a guy
called Pawel Dawidek, a FreeBSD contributer:

http://jez.han***-family.com/archives/43_Patching_FreeBSD_Kernel_To_Log_User_Activities.html

see also these interesting kernel level patches:

http://jez.han***-family.com/archives/44_Kernel_Level_Patches.html

If you search the archives for freebsd-isp mailing list, you should find
more info on the patches there.

If a kernel module is too low level for you, it's also possible to patch
the shell source to log syscalls. There's some minor info on it here:

http://jez.han***-family.com/archives/37_Securing_Users_Shell_Command_History.html

-- 
Jez Han***
 - System Administrator / PHP Developer
http://munk.nu/
http://jez.han***-family.com/  - Another FreeBSD Diary
http://ipfwstats.sf.net/        - ipfw peruser traffic logging
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

Next message: Artyom Viklenko: "Re: monitoring shell commands (recording username/cmd/time)"

Previous message: Rafael B Albuquerque: "Re: update to 4.10 via ssh"
In reply to: Andrew Nelson: "monitoring shell commands (recording username/cmd/time)"
Next in thread: Artyom Viklenko: "Re: monitoring shell commands (recording username/cmd/time)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]