Monitoring activity on my computer.

Have a look at Fail2ban and DenyHØsts.

This isn’t exactly what you are looking for, but some apps keep a list of recently-accessed files. Also, GNOME keeps that list, which can be accessed from its Panel.

Another fix is to use GNOME Activity Journal, though last time I checked, it didn’t keep a record of CLI activity, and was only interested in file-related activity (reading, editing), ignoring other activities.

You can also look inside /var/log directory where a bunch of programs store their logs.

Assuming enough naïveté on the side of your attacker, you can simply throw script -qft $USER-$$ 2> $USER-$$-time into his/your appropriate login script to monitor his or her terminal interactions and replay with the appropriate scriptreplay commands.

To monitor file-level access, I recommend attaching an strace -fe open with appropriate logging to the sshd and filtering for login sessions (or maybe it’s better to just do this from . Warning: Huge outputs, since doing anything on a modern system touches a lot of files. If you just want to monitor specific files, have a look at auditd and its support infrastructure.

Sessions and login attempts can be gathered from syslog as per other answers.

Is the other guy on to you? If he has physical access or root access, he can erase all his traces and even plant a bug to spy on you. On the other hand, some traces are a pain to erase, and it’s hard to think of everything.

Various things are already recorded in the system logs, typically in /var/log (some systems use a different location such as /var/logs or /var/adm). Under a normal configuration, all logins and mounts are recorded, amongst others. If you’re worried about logs being erased, you can set up remote logging (how to do this depends on the syslog implementation, but it’s generally one or two lines to change in a configuration file on the sender and on the receiver).

If you or your distribution hasn’t disabled this feature, every file has an access time (“atime”) which is updated whenever the file is read. (If the filesystem is mounted with the noatime or relatime option, the atime is not updated.) The atime can be faked with touch -a, but this updates the ctime, so it leaves a trace. (Even root cannot directly remove this trace, you need to bypass the filesystem code.)

Various programs have a session history. It’s easy to remove or fake, if the intruder remembered to do so. Bash keeps ~/.bash_history, browsers tend to write lots of stuff in their profile directory, and so on. You may also find telling errors or warnings in ~/.xsession-errors or /var/log/Xorg.0.log or other system-dependent location.

Many unices have a process accounting¹ feature. See for example the GNU accounting utilities manual, the entry in the FreeBSD handbook or the Linux howto or the Solaris guide. Once enabled, it records what user launched what process when (it logs execve calls), and perhaps a little more. There’s a lot of interesting information it doesn’t log, such as the files accessed by the process.

If you want to monitor all accesses to a filesystem, you can provide it through loggedfs. It’s very easy to notice if the guy thinks to look.

There are more comprehensive logging programs, but they might require additional kernel support. On Solaris, FreeBSD, NetBSD and Mac OS X, there is dtrace (there’s a Linux port in progress but I don’t know if it’s reached a usable stage). You can also trace specific processes through an interface to the ptrace system call, for example strace on Linux; it may induce a noticeable slowdown.

¹ _{Something that’s not in Wikipedia? Nah, that’s crazy talk.}