Monitoring activity on my computer.
So recently I found that someone has been using my computer without consent, browsing folders, etc….
I could change all my passwords straight away, but I’m curious as the what the intruding party was looking for. So I would like to set up a trap ( evil grin ).
What software will monitor any activity on my computer? While I know that capturing my screen will work here. I’d rather use a logfile.
[1 Aug 2010 20:23] /usr/bin/thunar accessed /multimedia/cctv-records/
[1 Aug 2010 20:25] /usr/bin/mplayer accessed /multimedia/cctv-records/00232.avi
[3 Aug 2010 02:34] /usr/bin/thunderbird was run
[3 Aug 2010 03:33] incomming ssh session from 220.127.116.11
Activities I would like to log is:
- Access to files and folders on the filesystem
- Commands run ( from console or otherwise )
- User Sessions ( login’s, ssh sessions and failed attempts )
This isn’t exactly what you are looking for, but some apps keep a list of recently-accessed files. Also, GNOME keeps that list, which can be accessed from its Panel.
Another fix is to use GNOME Activity Journal, though last time I checked, it didn’t keep a record of CLI activity, and was only interested in file-related activity (reading, editing), ignoring other activities.
You can also look inside
/var/log directory where a bunch of programs store their logs.
Assuming enough naïveté on the side of your attacker, you can simply throw
script -qft $USER-$$ 2> $USER-$$-time into his/your appropriate login script to monitor his or her terminal interactions and replay with the appropriate scriptreplay commands.
To monitor file-level access, I recommend attaching an
strace -fe open with appropriate logging to the sshd and filtering for login sessions (or maybe it’s better to just do this from . Warning: Huge outputs, since doing anything on a modern system touches a lot of files. If you just want to monitor specific files, have a look at auditd and its support infrastructure.
Sessions and login attempts can be gathered from syslog as per other answers.
You could use in-kernel mechanism
inotify for monitoring accessed files.
First you should check if
inotify is turned on in kernel:
pbm@tauri ~ $ zcat /proc/config.gz | grep CONFIG_INOTIFY CONFIG_INOTIFY=y CONFIG_INOTIFY_USER=y
Next thing to do is install
inotify-tools. Instructions for various distributions you could find at project page – it should be in repositories of all major distributions.
After that inotify is ready to work:
inotifywait /dirs/to/watch -mrq
m = do not exit after one event,
r = recursive,
q = quiet)
For example – output after
pbm@tauri ~ $ inotifywait /bin /home/pbm -mq /bin/ OPEN ls /bin/ ACCESS ls /bin/ ACCESS ls /home/pbm/ OPEN,ISDIR /home/pbm/ CLOSE_NOWRITE,CLOSE,ISDIR /bin/ CLOSE_NOWRITE,CLOSE ls
Important thing is to properly set directories for watch:
- don’t watch
/recursively – there is a lot of read/write to
- don’t watch your home dir recursively – when you use apps there is a lot of read/write to application configuration dirs and browsers profile dirs
/proc/sys/fs/inotify/max_user_watches there is configuration option that shows how many files can be watched simultaneously. Default value (for Gentoo) is about not so high, so if you set watcher to
/home/ you could exceed limit. You could increase limit by using
echo (root access needed).
echo 524288 > /proc/sys/fs/inotify/max_user_watches
But before that you should read about consequences of that change.
Options that could be interesting for you:
-d= daemon mode
-o file= output to file
--format= user-specified format, more info in
-e EVENT= what event should be monitored (for example
modify, etc, more info in
Is the other guy on to you? If he has physical access or root access, he can erase all his traces and even plant a bug to spy on you. On the other hand, some traces are a pain to erase, and it’s hard to think of everything.
Various things are already recorded in the system logs, typically in
/var/log (some systems use a different location such as
/var/adm). Under a normal configuration, all logins and mounts are recorded, amongst others. If you’re worried about logs being erased, you can set up remote logging (how to do this depends on the syslog implementation, but it’s generally one or two lines to change in a configuration file on the sender and on the receiver).
If you or your distribution hasn’t disabled this feature, every file has an access time (“atime”) which is updated whenever the file is read. (If the filesystem is mounted with the
relatime option, the atime is not updated.) The atime can be faked with
touch -a, but this updates the ctime, so it leaves a trace. (Even root cannot directly remove this trace, you need to bypass the filesystem code.)
Various programs have a session history. It’s easy to remove or fake, if the intruder remembered to do so. Bash keeps
~/.bash_history, browsers tend to write lots of stuff in their profile directory, and so on. You may also find telling errors or warnings in
/var/log/Xorg.0.log or other system-dependent location.
Many unices have a process accounting¹ feature. See for example the GNU accounting utilities manual, the entry in the FreeBSD handbook or the Linux howto or the Solaris guide. Once enabled, it records what user launched what process when (it logs
execve calls), and perhaps a little more. There’s a lot of interesting information it doesn’t log, such as the files accessed by the process.
If you want to monitor all accesses to a filesystem, you can provide it through loggedfs. It’s very easy to notice if the guy thinks to look.
There are more comprehensive logging programs, but they might require additional kernel support. On Solaris, FreeBSD, NetBSD and Mac OS X, there is dtrace (there’s a Linux port in progress but I don’t know if it’s reached a usable stage). You can also trace specific processes through an interface to the
ptrace system call, for example
strace on Linux; it may induce a noticeable slowdown.
¹ Something that’s not in Wikipedia? Nah, that’s crazy talk.