User action tracing

atlantislim · 08-26-2002, 04:48 AM

Hi all, is it possible for system admin to trace the user actions like command and date/time he/she issue?

Regards

unSpawn · 08-26-2002, 01:09 PM

if you want logging the command *and* time an easy way I would suggest you look into the Grsecurity kernel patch. It's got an option called Trusted Path Execution which you can switch (on|off|$UID). Quite, kewl, Grsec also has the same options (not under TPE tho) for logging all users commands in a chroot...

pk21 · 08-26-2002, 02:32 PM

You can just check there history. But i don't think there will be any timestamps.

neo77777 · 08-26-2002, 05:42 PM

If you worry about users executing commands they are not supposed to execute, then play a little bit more curious admin, look under user's history what commands gets executed more often (you can strip out ls, cd, etc) and then you can setup sudo for users to execute commands and log what these commands were, who executed a particular command and when these commands were executed

atlantislim · 08-26-2002, 07:19 PM

Cause I wanna trace who using what command on when due the my senior request(On Linux and AIX too). Except from patching the kernel, is it other external tool to do so ?

Thanks for help and suggestion

neo77777 · 08-26-2002, 08:51 PM

Look at sudo. http://www.courtesan.com/sudo/

neo77777 · 08-26-2002, 08:57 PM

There is another method we use at work to log all the commands user might execute, we call it como, I'll ask tomorrow for a permission to get a sneak view how it is constructed, I am not sure if it is a UNIX package (the google yielded no results except Spanish web pages) or it was written by one of our developers back in 80's.