So recently I found that someone has been using my computer without consent, browsing folders, etc….
I could change all my passwords straight away, but I'm curious as the what the intruding party was looking for. So I would like to set up a trap ( evil grin ).
What software will monitor any activity on my computer? While I know that capturing my screen will work here. I'd rather use a logfile.
For example:
/var/log/activity.log
[1 Aug 2010 20:23] /usr/bin/thunar accessed /multimedia/cctv-records/
[1 Aug 2010 20:25] /usr/bin/mplayer accessed /multimedia/cctv-records/00232.avi
[3 Aug 2010 02:34] /usr/bin/thunderbird was run
[3 Aug 2010 03:33] incomming ssh session from 12.32.132.123
Activities I would like to log is:
- Access to files and folders on the filesystem
- Commands run ( from console or otherwise )
- User Sessions ( login's, ssh sessions and failed attempts )
Best Answer
You could use in-kernel mechanism
inotify
for monitoring accessed files.First you should check if
inotify
is turned on in kernel:Next thing to do is install
inotify-tools
. Instructions for various distributions you could find at project page - it should be in repositories of all major distributions.After that inotify is ready to work:
(
m
= do not exit after one event,r
= recursive,q
= quiet)For example - output after
ls /home/pbm
Important thing is to properly set directories for watch:
/
recursively - there is a lot of read/write to/dev
and/proc
In
/proc/sys/fs/inotify/max_user_watches
there is configuration option that shows how many files can be watched simultaneously. Default value (for Gentoo) is about not so high, so if you set watcher to/home/
you could exceed limit. You could increase limit by usingecho
(root access needed).But before that you should read about consequences of that change.
Options that could be interesting for you:
-d
= daemon mode-o file
= output to file--format
= user-specified format, more info inman inotifywait
-e EVENT
= what event should be monitored (for exampleaccess
,modify
, etc, more info inman
)