Results 1 to 6 of 6

Thread: Monitor all user activity in directory's

  1. #1

    Default Monitor all user activity in directory's

    Hello

    I recently got a job for a university i am about to study with and part of this job is administration of the servers.
    Problem is one of these servers is used for website development and the issue has been raised of what if some student accuses me of cheating?

    I need a way to monitor both my administration account and the root accounts activity in the web directories. Basically i need to know if someone has even opened a directory + read, copied, wrote or executed in a file. This would also be useful in the long term if i could implement it for all students however at the moment they are isolated so the real problem is, making sure the administrator isn't doing the wrong thing.

    Is there an application that can do this? I am not interested in monitoring whether a user connects or not because, i will be connecting, a lot. I need the logs to show where i was and what i did.

    I will continue looking as i need to have this implemented or a definitive can't be done answer, preferably at end of year, mid January at the absolute latest.

  2. #2

    Default Re: Monitor all user activity in directory's

    1. You will need to change the kernel to do this - re-implement the open(), opendir(), etc system calls so that every time it executes successfully in the directories you're interested in it logs a message

    2. I've never heard of anything so draconian - are you sure you joined a university and not a prison? I'd leave this place as soon as I can, this spells nothing but trouble.

  3. #3

    Default Re: Monitor all user activity in directory's

    You can use a realtime filesystem monitor, like iwatch, to monitor which files have changed and how (based on the events you choose to monitor) in a given directory.
    Example:

    Code:
    iwatch -r -e all_events /srv/www

  4. #4

    Default Re: Monitor all user activity in directory's

    Quote Originally Posted by noident View Post
    2. I've never heard of anything so draconian - are you sure you joined a university and not a prison? I'd leave this place as soon as I can, this spells nothing but trouble.
    lol, this is because you can't trust a failing student to blame someone else, like the server admin who is studying the same course, or if our works look similar its easier for me to get the blame for copying.

    Thank you for the replies i will give them a shot.

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Monitor all user activity in directory's

    On 2011-12-05 22:56, gumbicus wrote:
    > lol, this is because you can't trust a failing student to blame someone
    > else, like the server admin who is studying the same course, or if our
    > works look similar its easier for me to get the blame for copying.


    The proper answer is that the admin of that server can not be a student of
    that course. No matter what you use you will not be able to prove you did
    not even look, because being the admin you can erase all traces of whatever
    you invent, plant backdoors, whatever.

    Unless the files reside in another server that is not under your control,
    and the connection is encrypted. And a student there would also challenge
    that setup as being "phony".

    IMO, the job and the course are not compatible. This is like when the
    police has to investigate a crime and the inspector is family of a suspect.
    He has to move out. You will not be able to avoid suspicion.


    I have only seen those kind of audit traces in spionage movies... the 24h
    serial, I think.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  6. #6

    Default Re: Monitor all user activity in directory's

    Solved! thank you
    iwatch worked like a treat, i use the command:

    iwatch -r -c "(w;ps -ef)|mail -s '%f was changed' ">/var/log/iwatch_log2.txt /srv/www

    The console itself will generate output + email error every time you do something but the idea isn't to spam the board with emails every time i do something.

    I can now just add a cron job to email the log or move it to an ftp site where the board + my bosses can access it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •