Thanks to a lot of people including: Neill, Mark Julian, John Thomas, Knox Daniel, Tate and others. ........Original Question at the bottom...................... [Quoted directly more or less] ...Julian:... he can move his .profile because he has write permission in his home dir. Moving, deleting files only require write perms on the dir. .../Julian... Consensus was: ...Daniel... Enable logging. 1 - touch /var/adm/pact as root 2 - /etc/init.d/acct start the command to use is 'lastcomm' .../Daniel... ...Thomas... In sshd_config: ssh2 and OpenSSH: SyslogFacility AUTH LogLevel DEBUG ssh1: FacistLogging YES restart ssh: "sshd -e 2>/my/log/file". That will send all logging to /my/log/file and not to the syslog. Careful, these logs can get BIG. I'd suggest using logrotate to manage them. .../Thomas... Basically the consensus was that I enable the Solaris built in accounting features -- 'man acct' which would probably solve my prolem but is more trouble than its worth. SSH accounting features seem to be the next best thing, but those don't discriminate between users, so the log file would grow to be very big very fast :p. Another thing I could do is recompile 'script', which I think is the best answer. If I had gcc installed on here, I would recompile it so that it is quiet, hence user has no idea he is being logged unless he does 'ps -ef' or 'lsof' or 'cat .profile' -- I doubt he will think that if he doesn't suspect anything. Since this is a small intranet DB server for our office, the SSH answer is right now the easiest and best solution, but for anyone else with lots of users, recompiling 'script' would be the best way to log someone -- 'Script' will only fool a newbie, but won't fool just about anyone else that runs 'ps' or customizes his .profile, this is where SSH and the Solaris acct features come into play and will work better. >I have a Solaris 8 sparc box, I would like to log all user activity for a particular user. > >I have his profile set up as follows: >-rw-r--r-- 1 root users 59 May 17 11:30 .profile > >[Why is he able to move this .profile file around but can't modify it -- how can I make >him not able to move it, nor modify it, just read it.] > >in there i have: >exec script /tmp/script/.`date +%m-%d.`$$ > >Problem with this is that it tells him he is being scripted >and where the script file is located. > >On FreeBSD script has -q option to make it quiet, so that the user has no >idea he is being scripted. nada similar for this script under `man script` > >So what does everyone use if they want to log >all activity of a particular user? > >I dont' need real time logging 'ie -- snooping', just that all his command/output >goes into a file -- and to make it harder for him to know he is being scripted >and where that file is located. > > > > > >www.nul.cjb.net >www.FreeBSD.org www.nul.cjb.net www.FreeBSD.org _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.comReceived on Thu May 17 22:06:50 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:55 EDT