Monitor all user activity in directory's

Hello

I recently got a job for a university i am about to study with and part of this job is administration of the servers.
Problem is one of these servers is used for website development and the issue has been raised of what if some student accuses me of cheating?

I need a way to monitor both my administration account and the root accounts activity in the web directories. Basically i need to know if someone has even opened a directory + read, copied, wrote or executed in a file. This would also be useful in the long term if i could implement it for all students however at the moment they are isolated so the real problem is, making sure the administrator isn’t doing the wrong thing.

Is there an application that can do this? I am not interested in monitoring whether a user connects or not because, i will be connecting, a lot. I need the logs to show where i was and what i did.

I will continue looking as i need to have this implemented or a definitive can’t be done answer, preferably at end of year, mid January at the absolute latest.

  1. You will need to change the kernel to do this - re-implement the open(), opendir(), etc system calls so that every time it executes successfully in the directories you’re interested in it logs a message

  2. I’ve never heard of anything so draconian - are you sure you joined a university and not a prison? I’d leave this place as soon as I can, this spells nothing but trouble.

You can use a realtime filesystem monitor, like iwatch, to monitor which files have changed and how (based on the events you choose to monitor) in a given directory.
Example:

iwatch -r -e all_events /srv/www

lol, this is because you can’t trust a failing student to blame someone else, like the server admin who is studying the same course, or if our works look similar its easier for me to get the blame for copying.

Thank you for the replies i will give them a shot.

On 2011-12-05 22:56, gumbicus wrote:
> lol, this is because you can’t trust a failing student to blame someone
> else, like the server admin who is studying the same course, or if our
> works look similar its easier for me to get the blame for copying.

The proper answer is that the admin of that server can not be a student of
that course. No matter what you use you will not be able to prove you did
not even look, because being the admin you can erase all traces of whatever
you invent, plant backdoors, whatever.

Unless the files reside in another server that is not under your control,
and the connection is encrypted. And a student there would also challenge
that setup as being “phony”.

IMO, the job and the course are not compatible. This is like when the
police has to investigate a crime and the inspector is family of a suspect.
He has to move out. You will not be able to avoid suspicion.

I have only seen those kind of audit traces in spionage movies… the 24h
serial, I think.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Solved! thank you :slight_smile:
iwatch worked like a treat, i use the command:

iwatch -r -c "(w;ps -ef)|mail -s ‘%f was changed’ ">/var/log/iwatch_log2.txt /srv/www

The console itself will generate output + email error every time you do something but the idea isn’t to spam the board with emails every time i do something.

I can now just add a cron job to email the log or move it to an ftp site where the board + my bosses can access it.