Loggin Users Movements

[Ropechoborra]

Is there any way to monitor user movements or log them? For eg.

I got an ssh server and i want to know when some user connects, what does he do, if he download files or delete them... etc

Is there any way, program or something like that to do so?

Thanks

[smolloy]

Have you tried increasing the level of sshd logging in sshd.conf?

[burntfuse]

If they don't delete or modify it, you can look at the .bash_history file in their home directory.

[anomie]

I got an ssh server and i want to know when some user connects

Try

Code:

# grep 'sshd' /var/log/secure

You might want to pipe the output to the less pager.

=============

what does he do

That's not the easiest thing to track. As was mentioned, the ~/.bash_history file is available, but it's trivial for a user to clear that. You might want to look into Process Accounting.

Here's an intro to it: http://www.linuxjournal.com/article/6144

It's not exactly for the faint of heart.

=============

if he download files or delete them

You can determine that easily using a home-made (or prebuilt) file integrity checker. For GNU/Linux I highly recommend aide (I hear it's very similar to tripwire).

[Ropechoborra]

For some strange reason /var/log/secure doesn't exist =|

[anomie]

It's ok. I just made a wrong assumption. (Not all GNU/Linuxes are the same.) What distro are you using?

Also, it would help if you posted the results of ls /var/log. I should be able to give you a different answer based on that.

[Ropechoborra]

I got Ubuntu Edgy

root@rophierr:/etc/init.d# ls /var/log
acpid btmp.1 debug.3.gz evms-engine.4.log kdm.log.3.gz mail.err scrollkeeper.log user.log.0
acpid.1.gz cups debug.4.gz evms-engine.5.log kdm.log.4.gz mail.info scrollkeeper.log.1 user.log.1.gz
acpid.2.gz daemon.log debug.5.gz evms-engine.6.log kdm.log.5.gz mail.log scrollkeeper.log.2 user.log.2.gz
acpid.3.gz daemon.log.0 dmesg evms-engine.7.log kdm.log.6.gz mail.warn sshblacklisting user.log.3.gz
aptitude daemon.log.1.gz dmesg.0 evms-engine.8.log kdm.log.7.gz messages syslog uucp.log
aptitude.1.gz daemon.log.2.gz dmesg.1.gz evms-engine.9.log kern.log messages.0 syslog.0 wtmp
auth.log daemon.log.3.gz dmesg.2.gz evms-engine.log kern.log.0 messages.1.gz syslog.1.gz wtmp.1
auth.log.0 daemon.log.4.gz dmesg.3.gz faillog kern.log.1.gz messages.2.gz syslog.2.gz wvdialconf.log
auth.log.1.gz daemon.log.5.gz dmesg.4.gz fontconfig.log kern.log.2.gz messages.3.gz syslog.3.gz Xorg.0.log
auth.log.2.gz daemon.log.6.gz dpkg.log fsck kern.log.3.gz messages.4.gz syslog.4.gz Xorg.0.log.old
auth.log.3.gz debug dpkg.log.1 installer kern.log.4.gz messages.5.gz syslog.5.gz Xorg.1.log
boot debug.0 evms-engine.1.log kdm.log kern.log.5.gz news syslog.6.gz
bootstrap.log debug.1.gz evms-engine.2.log kdm.log.1 lastlog pycentral.log udev
btmp debug.2.gz evms-engine.3.log kdm.log.2.gz lpr.log samba user.log

Thanks

[anomie]

I'd imagine you can get similar information from the /var/log/auth.log file.

Unfortunately I'm not well versed in the debian-based distros.