Ubuntu – Monitor visited websites of guest account through any browser

apparmorguest-sessioninternetiptableslogging

I want to know which websites/URLs are visited by users of my home computer's guest account.

Is there a way to log this and save it as nicely formatted list to the disk? I only need date/time and visited URL. If possible, full URLs would be nice, but domain only is also good for a start.

Update:

After having read the linked answers and suggestions in the chat from A.B., I ran the following command:

$ sudo iptables -A OUTPUT -m owner --uid-owner 499 -j LOG --log-prefix='[GUEST INTERNET ACCESS] '

after having set the guest account UID to the fixed UID 499 following Set or determine the UID range for guest accounts.

But the /var/log/kern.log still doesn't contain those logs but lots of messages by apparmor that tell it denied something:

Nov 18 11:19:22 wolf-pack kernel: [ 1030.063374] audit: type=1400 audit(1447841962.731:164): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/stdout" pid=4693 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=499 ouid=0

I have posted a separate question about the AppArmor problem here: AppArmor blocks logging set up through iptables for guest account – How to enable?

Best Answer

I think your intention is clear here: log URLs of websites visited by anyone using any application as the guest user.

Suggesting iptables logging to achieve this task isn't correct. iptables (without some obscure, performance-limiting extensions) works on the IP protocol, not on the application level.

I've also seen suggestions in the URLs suggested as comments - responders suggested only capturing packets with SYN flags (new connections). That too, results from a misunderstanding described above.

The way to achieve what you want is:

  1. Install a web proxy (preferably lightweight, such as tinyproxy).
  2. Add iptables rules that redirect outgoing connections made by only a specific user to ports 80,443/tcp to the local proxy.

What I had in mind is described here (not my post). This way you get a web proxy log which has all the HTTP requests logged. You won't get logs related to SSL protected traffic though, which is a good thing.

To reiterate: URLs are not part of the IP or TCP header structure, thus something working on the IP/TCP level isn't going to be able to show you this data, unless it has some TCP dissector (tcpdump/wireshark are able to do this but not iptables alone).

Related Question