16

So recently I found that someone has been using my computer without consent, browsing folders, etc....

I could change all my passwords straight away, but I'm curious as the what the intruding party was looking for. So I would like to set up a trap ( evil grin ).

What software will monitor any activity on my computer? While I know that capturing my screen will work here. I'd rather use a logfile.

For example:

/var/log/activity.log

[1 Aug 2010 20:23] /usr/bin/thunar accessed /multimedia/cctv-records/
[1 Aug 2010 20:25] /usr/bin/mplayer accessed /multimedia/cctv-records/00232.avi
[3 Aug 2010 02:34] /usr/bin/thunderbird was run
[3 Aug 2010 03:33] incomming ssh session from 12.32.132.123

Activities I would like to log is:

  • Access to files and folders on the filesystem
  • Commands run ( from console or otherwise )
  • User Sessions ( login's, ssh sessions and failed attempts )
Antigona
  • 109
Stefan
  • 25,300

5 Answers5

8

You could use in-kernel mechanism inotify for monitoring accessed files.

First you should check if inotify is turned on in kernel:

pbm@tauri ~ $ zcat /proc/config.gz | grep CONFIG_INOTIFY
CONFIG_INOTIFY=y
CONFIG_INOTIFY_USER=y

Next thing to do is install inotify-tools. Instructions for various distributions you could find at project page - it should be in repositories of all major distributions.

After that inotify is ready to work:

inotifywait /dirs/to/watch -mrq

(m = do not exit after one event, r = recursive, q = quiet)

For example - output after ls /home/pbm

pbm@tauri ~ $ inotifywait /bin /home/pbm -mq 
/bin/ OPEN ls
/bin/ ACCESS ls
/bin/ ACCESS ls
/home/pbm/ OPEN,ISDIR 
/home/pbm/ CLOSE_NOWRITE,CLOSE,ISDIR 
/bin/ CLOSE_NOWRITE,CLOSE ls

Important thing is to properly set directories for watch:

  • don't watch / recursively - there is a lot of read/write to /dev and /proc
  • don't watch your home dir recursively - when you use apps there is a lot of read/write to application configuration dirs and browsers profile dirs

In /proc/sys/fs/inotify/max_user_watches there is configuration option that shows how many files can be watched simultaneously. Default value (for Gentoo) is about not so high, so if you set watcher to /home/ you could exceed limit. You could increase limit by using echo (root access needed).

echo 524288 > /proc/sys/fs/inotify/max_user_watches

But before that you should read about consequences of that change.

Options that could be interesting for you:

  • -d = daemon mode
  • -o file = output to file
  • --format = user-specified format, more info in man inotifywait
  • -e EVENT = what event should be monitored (for example access, modify, etc, more info in man)
pbm
  • 25,387
  • To have the setting last between system resets, on Debian you can do echo 524288 >> /etc/sysctl.conf && service procps restart. What's the equivalent in Gentoo? – tshepang Nov 23 '10 at 20:14
  • I thing that you mean echo "fs.inotify.max_user_watches = 524288" >> /etc/sysctl.conf. In Gentoo you could use the same method, but sysctl.conf is sourced by /etc/init.d/bootmisc init script. – pbm Nov 23 '10 at 20:23
  • 1
    actually it's /etc/init.d/sysctl. – OneOfOne Nov 23 '10 at 21:08
7

Is the other guy on to you? If he has physical access or root access, he can erase all his traces and even plant a bug to spy on you. On the other hand, some traces are a pain to erase, and it's hard to think of everything.

Various things are already recorded in the system logs, typically in /var/log (some systems use a different location such as /var/logs or /var/adm). Under a normal configuration, all logins and mounts are recorded, amongst others. If you're worried about logs being erased, you can set up remote logging (how to do this depends on the syslog implementation, but it's generally one or two lines to change in a configuration file on the sender and on the receiver).

If you or your distribution hasn't disabled this feature, every file has an access time (“atime”) which is updated whenever the file is read. (If the filesystem is mounted with the noatime or relatime option, the atime is not updated.) The atime can be faked with touch -a, but this updates the ctime, so it leaves a trace. (Even root cannot directly remove this trace, you need to bypass the filesystem code.)

Various programs have a session history. It's easy to remove or fake, if the intruder remembered to do so. Bash keeps ~/.bash_history, browsers tend to write lots of stuff in their profile directory, and so on. You may also find telling errors or warnings in ~/.xsession-errors or /var/log/Xorg.0.log or other system-dependent location.

Many unices have a process accounting¹ feature. See for example the GNU accounting utilities manual, the entry in the FreeBSD handbook or the Linux howto or the Solaris guide. Once enabled, it records what user launched what process when (it logs execve calls), and perhaps a little more. There's a lot of interesting information it doesn't log, such as the files accessed by the process.

If you want to monitor all accesses to a filesystem, you can provide it through loggedfs. It's very easy to notice if the guy thinks to look.

There are more comprehensive logging programs, but they might require additional kernel support. On Solaris, FreeBSD, NetBSD and Mac OS X, there is dtrace (there's a Linux port in progress but I don't know if it's reached a usable stage). You can also trace specific processes through an interface to the ptrace system call, for example strace on Linux; it may induce a noticeable slowdown.

¹ Something that's not in Wikipedia? Nah, that's crazy talk.

alanc
  • 2,994
Gilles 'SO- stop being evil'
  • 829,060
1

Have a look at Fail2ban and DenyHØsts.

iamsid
  • 2,514
  • 1
    Fail2ban looks at access logs to make certain actions (e.g., banning an ip), but it does not generate these kinds of access logs. DenyHosts rely on TCP Wrappers to ban ip, again, that's not related to the OP. – Barthelemy Nov 23 '10 at 12:31
1

This isn't exactly what you are looking for, but some apps keep a list of recently-accessed files. Also, GNOME keeps that list, which can be accessed from its Panel.

Another fix is to use GNOME Activity Journal, though last time I checked, it didn't keep a record of CLI activity, and was only interested in file-related activity (reading, editing), ignoring other activities.

You can also look inside /var/log directory where a bunch of programs store their logs.

tshepang
  • 65,642
1

Assuming enough naïveté on the side of your attacker, you can simply throw script -qft $USER-$$ 2> $USER-$$-time into his/your appropriate login script to monitor his or her terminal interactions and replay with the appropriate scriptreplay commands.

To monitor file-level access, I recommend attaching an strace -fe open with appropriate logging to the sshd and filtering for login sessions (or maybe it's better to just do this from . Warning: Huge outputs, since doing anything on a modern system touches a lot of files. If you just want to monitor specific files, have a look at auditd and its support infrastructure.

Sessions and login attempts can be gathered from syslog as per other answers.

Thomas Themel
  • 1,034