security – Monitoring Activity on My Computer

forensicslogsmonitoringSecurity

So recently I found that someone has been using my computer without consent, browsing folders, etc….

I could change all my passwords straight away, but I'm curious as the what the intruding party was looking for. So I would like to set up a trap ( evil grin ).

What software will monitor any activity on my computer? While I know that capturing my screen will work here. I'd rather use a logfile.

For example:

/var/log/activity.log

[1 Aug 2010 20:23] /usr/bin/thunar accessed /multimedia/cctv-records/
[1 Aug 2010 20:25] /usr/bin/mplayer accessed /multimedia/cctv-records/00232.avi
[3 Aug 2010 02:34] /usr/bin/thunderbird was run
[3 Aug 2010 03:33] incomming ssh session from 12.32.132.123

Activities I would like to log is:

Access to files and folders on the filesystem
Commands run ( from console or otherwise )
User Sessions ( login's, ssh sessions and failed attempts )

Best Answer

You could use in-kernel mechanism inotify for monitoring accessed files.

First you should check if inotify is turned on in kernel:

pbm@tauri ~ $ zcat /proc/config.gz | grep CONFIG_INOTIFY
CONFIG_INOTIFY=y
CONFIG_INOTIFY_USER=y

Next thing to do is install inotify-tools. Instructions for various distributions you could find at project page - it should be in repositories of all major distributions.

After that inotify is ready to work:

inotifywait /dirs/to/watch -mrq

(m = do not exit after one event, r = recursive, q = quiet)

For example - output after ls /home/pbm

pbm@tauri ~ $ inotifywait /bin /home/pbm -mq 
/bin/ OPEN ls
/bin/ ACCESS ls
/bin/ ACCESS ls
/home/pbm/ OPEN,ISDIR 
/home/pbm/ CLOSE_NOWRITE,CLOSE,ISDIR 
/bin/ CLOSE_NOWRITE,CLOSE ls

Important thing is to properly set directories for watch:

don't watch / recursively - there is a lot of read/write to /dev and /proc
don't watch your home dir recursively - when you use apps there is a lot of read/write to application configuration dirs and browsers profile dirs

In /proc/sys/fs/inotify/max_user_watches there is configuration option that shows how many files can be watched simultaneously. Default value (for Gentoo) is about not so high, so if you set watcher to /home/ you could exceed limit. You could increase limit by using echo (root access needed).

echo 524288 > /proc/sys/fs/inotify/max_user_watches

But before that you should read about consequences of that change.

Options that could be interesting for you:

-d = daemon mode
-o file = output to file
--format = user-specified format, more info in man inotifywait
-e EVENT = what event should be monitored (for example access, modify, etc, more info in man)

Related Solutions

Send auditd logs to another computer

I'm assuming you're on Linux by how you phrased your question. Should that be the case, then yes there is, look into audisp-remote and audispd. These are standard components in the current audit tools on Linux.

Linux – Monitoring filesystem activity

You can use strace for this:

strace -f -e trace=file command args...

strace traces system calls and prints a description of them to standard error as they occur. The -f option tells it to track child processes and threads as well. -e lets you modify the calls it will track: -e trace=file will log every use of open, unlink, etc, but no non-file actions.

If you want to see what was read from and written to files, change it to -e trace=file,read,write instead; you can list out any additional calls you want to examine there as well. If you leave off that argument entirely you get every system call.

The output is like this (I ran mkdir /tmp/test in a traced shell):

[pid  1444] execve("/usr/bin/mkdir", ["mkdir", "/tmp/test4"], [/* 33 vars */]) = 0
[pid  1444] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid  1444] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] mkdir("/tmp/test", 0777)    = 0
[pid  1444] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1444, si_status=0, si_utime=0, si_stime=0} ---

You can log to a file instead of the terminal with -o filename, and make the output (even) more verbose with -v. It's also possible to attach to an already-existing process with -p PID, in case that's more useful.

If you're looking to do this programmatically, rather than to inspect yourself, look at the ptrace call, which is what strace is built on.

Best Answer

Related Solutions

Send auditd logs to another computer

Linux – Monitoring filesystem activity

Related Question