KBTAG: kben10000067
URL: http://www.securityportal.com/lskb/10000050/kben10000067.html
Date created: 17/07/2000
Date modified: 25/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Monitoring users
Keywords: Users
One issue common to shell servers is making sure users do not abuse the server. This is rather easy to monitor for standard resources (such as disk usage, CPU usage, and so forth) but one of the most frequently abused items is bandwidth, luckily there are a variety of ways to monitor this abuse.
Of course this is all well and good if nothing goes wrong. But what if you actually want to monitor what a user is doing (be warned, there are legal implications that can get you in trouble, ask your lawyers first). This is where a tool such as ttysnoop comes in. ttysnoop allows you to monitor what a user is doing, and record it. You can get ttysnoop from: http://uscan.cjb.net/.
UserIPAcct allows you to monitor the bandwidth usage by user, it involves patching the kernel, and setting up rules (similar in concept to firewalling) to monitor the amount of data a users programs send or receive. You cannot account for data on PPP connections however since the PPP daemon does not run as the user logging in (although you could hack it to do this). I would recommend this highly for shell servers in order to monitor users (generally speaking a minor percentage of users will make up the bulk of usage). You can download the complete package from: http://rsmeyers.3ti.org/useripacct/.
shells
Most shells have a command history, simply set the command logging on, and set the user's shell configuration file immutable, and set the log file (i.e. $HOME/.bash_history) append only with "chattr +a".