JP Vossen on 13 Aug 2009 13:58:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] logging user activity

 > Date: Thu, 13 Aug 2009 16:24:25 -0400
 > From: Paul DiSciascio <>
 > The only way to really enforce logging of user activities is to use
 > some sort of restricted shell that enforces shell history and prevents
 > the user from modifying their profile/environment.

But that is almost impossible to fully achieve.  Will you allow use of 
vi?  Bang, there's an escape hatch.  And don't even get me started on 
Emacs.  :-)

 > Your other option is to enable system auditing, which will allow you
 > to be a lot more granular with respect to what you log, but may be
 > overkill (or underkill) depending on what you're looking for.

It also probably won't capture much user activity (i.e., keystrokes and 

The only way you can *almost* guarantee capturing all user activity is 
to modify the kernel to do so.  There have been extensive technical 
discussions of why this is so on various HoneyPot/HoneyNet forums, since 
the goal of those projects is to allow machines to be cracked, then see 
what the bad guys do.  So those guys have put a lot of thought and 
effort into the problem of user monitoring/logging.  If you really care, 
  that's where the answer are.  But there are no trivial ways to do it 
well, esp. against moderately technical and/or malicious users.

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --