# Record shell activities of all users



## rajashankaran (Jun 8, 2022)

Hello team,


          How to record all shell/terminal activities done by users on freebsd, i.e all commands entered in freebsd servers by all users. 

Thanks
Sankar


----------



## getopt (Jun 8, 2022)

rajashankaran
If you do not want that users use certain shell commands than just configure a MAC framework.

What you want is ethical highly questionable and may violate users' rights.


----------



## Phishfry (Jun 8, 2022)

Can't you just view the .history file for each user?






						history
					






					www.freebsd.org


----------



## jbo (Jun 8, 2022)

getopt said:


> What you want is ethical highly questionable and may violate users' rights.


This might also leak sensitive information governed by your governments' data/privacy protection laws.


----------



## Eric A. Borisch (Jun 8, 2022)

There are systems where this may be required contractually; what you are looking for is audit(4).

Adding _ex_ to _flags:_ in /etc/security/audit_control would be a place to start for what you're asking for. Note builtin commands _within_ the shell (for example, _cd_, which doesn't spawn a new process) won't be captured by _execve_ logging.

There's a whole chapter in the handbook on it.


----------



## Phishfry (Jun 8, 2022)

I am coming at this question from a workplace IT perspective.

All the business systems I have worked on explicitly stated that the system was being monitored.
So make a user account MOTD stating that the system is actively monitored.

This is standard practice herein USA. Nothing at work is private. All company owned work product.
No private email, MITM expected.
You are on a work system. Users should have no privacy expectation from the companies IT systems..
We have to sign documents attesting to such policies. It is a good idea to CYA.

Other countries might have different laws so check with legal.

I am a privacy hawk and under no circumstances would I disclose anything private on the company network.


----------



## ralphbsz (Jun 8, 2022)

I think what we have here is an XY problem. The OP is asking "how to do XY". It's really hard to answer that question, unless we know what they are really trying to accomplish.

So here are a few questions for the OP. What kind of a system is this? Single-user, or multi-user? If multi-user, are the users guaranteed to be friendly? Are they knowledgeable? Are you expecting them to be dangerous hackers? What important resources (such as valuable secret information) do you expect to be available on this machine? What problem are they trying to solve?

Having said all that: Learn about audit. It is not exactly what you want: It doesn't log shell commands, but for all commands that are not shell-internal, it will log the exec() call for the command being executed.

And look at the source code of bash; it has an option to log all commands (as entered) via syslog, but I don't think it is enabled by default. If you want that, recompile bash and install it. And prevent your users from disabling that option, and from switching to other shells.

Having said that: In reality, if you are worried about security, logging shell commands is the wrong place to start. Because it is easy for a nasty user to quickly create a program (in C, Python, Perl, ...) which does all the nasty things, and then just execute that program once. All you see in your shell command log is that they edited "helloworld.pl" (or .c or .py) and executed it. If you want to know what they really did, you need to enable auditing at finer granularity (like all file operations).


----------



## SirDice (Jun 8, 2022)

Phishfry said:


> You are on a work system. Users should have no privacy expectation from the companies IT systems..


Actually. This may be a European thing though, but you DO have privacy there too. At least down here you can expect _some_ privacy when it comes to email. Mainly because you are allowed to make the occasional personal call using the company's phone system (those are certainly expected to be private), and so those rights are transferred to email too. Pretty much the same thing also applies to files in a person's home directory. You cannot waive those rights with some MOTD, pre-login banner, or signed document. But again, this is probably quite different from the US's legal system. 



Phishfry said:


> Other countries might have different laws so check with legal.


Exactly. Definitely check your local laws, privacy or otherwise. 

That said, shell history is kind of finicky. Users can clear it. It may provide good information after the fact (when you're investigating a breach or some other violation) but you cannot rely on it. I've seen some set ups that used ttysnoop(8) on Linux systems. On FreeBSD you could do the same with watch(8).

Enabling auditing is really the way to go though. But this produces a TON of logging data. That may be a bit overkill for certain situations. You have to have something in place to analyze all that audit logging or else it'll just be a lot of useless data.


----------



## rajashankaran (Jun 9, 2022)

In order to comply with PCI audits, all user command activities on the server must be logged and kept for six months. To log user command activities on our Linux servers, we use the trap command. We are now trying to achieve the same in FreeBSD. Every user in FreeBSD has a local account and is trusted.


----------



## getopt (Jun 9, 2022)

rajashankaran said:


> In order to comply with PCI audits, all user command activities on the server must be logged and kept for six months.


Under which legislation? In which state is the server located? Are services to "FreeBSD users" commercially provided to international customers?
Do you mind to disclose the company you are working for? 

International FreeBSD users do have legal rights. I do not want to help those not respecting user's rights.


----------



## smithi (Jun 9, 2022)

SirDice said:


> Enabling auditing is really the way to go though. But this produces a TON of logging data. That may be a bit overkill for certain situations. You have to have something in place to analyze all that audit logging or else it'll just be a lot of useless data.


Far simpler and less resource heavy than full auditing is good old-fashioned process accounting, realised by enabling accounting in rc.conf - which just runs accton(8) on boot - then occasionally and/or periodically running lastcomm(1) to view and search processes, users, terminals used etc,  sa(8) to print desired statistics, ac(8) for connect time accounting, etc.

We ran such accounting from '98 to ~'06 on a small rural community server with 3 x 33.6k dialups and 1 dialout 56kbps modem, paying our then national carrier 25c/MB (yes, $250/GB!) for internet traffic, so charging users for time and data was critical to informing our bespoke billing programs, and for monitoring security.

Noting that process and time accounting do not reveal user command lines, just what is executed and resources used - so might not assist this OP - but are lightweight and simple to test for usefulness.


----------



## SirDice (Jun 9, 2022)

rajashankaran said:


> To log user command activities on our Linux servers, we use the trap command.


trap(1) is for catching a signal(3) in the shell.


----------



## smithi (Jun 9, 2022)

getopt said:


> International FreeBSD users do have legal rights. I do not want to help those not respecting user's rights.


I suspect you may have to argue about that with the present government of India, rather than those obliged to work within oppressive laws.


----------



## getopt (Jun 9, 2022)

smithi said:


> I suspect you may have to argue about that with the present government of India


I intentionally avoided to name a state that is posing to the public as the "largest democracy" on earth. 

My heart belongs to the suppressed not so to the vicarious agents or those making a fortune out of it.


----------



## rajashankaran (Jun 9, 2022)

SirDice said:


> trap(1) is for catching a signal(3) in the shell.


I can't see this trap command in repository.


----------



## fjdlr (Jun 9, 2022)

rajashankaran said:


> I can't see this trap command in repository.


Maybe trap is internal command..... ?


----------



## msplsh (Jun 9, 2022)

trap(1) says "Consult a shell's manual page for details on the operation [of] its builtin commands." (Oh, hello typo)

If you look at the table, trap is only supported in sh(1) and is documented there


----------



## jbo (Jun 9, 2022)

msplsh said:


> trap(1) says "Consult a shell's manual page for details on the operation [of] its builtin commands." (Oh, hello typo)


grahamperrin@ your services are needed


----------



## ralphbsz (Jun 9, 2022)

rajashankaran said:


> In order to comply with PCI audits, all user command activities on the server must be logged and kept for six months. To log user command activities on our Linux servers, we use the trap command. We are now trying to achieve the same in FreeBSD. Every user in FreeBSD has a local account and is trusted.


Ah finally, the OP tells us what their real goal is: They are in the financial industry, the system being discussed here processes card payments (for example credit cards), and they are preparing for an audit under PCI rules. 

This immediately means that a lot of the chatter about "rights" and "laws" becomes completely irrelevant. The only users of this system (in the sense of login user = UID) are likely employees and contractors working on the payment system. I very much doubt that this is a general use system (where people log in, read their mail, compile arbitrary code), but it is likely dedicated to processing payments.

But it also means that advice from random strangers on the internet is not what the OP needs. They need to read and understand the PCI rules. On the web, you can find guides for how to configure Linux systems for PCI compliance; the OP can probably go through those and take the exact equivalent steps on FreeBSD. I've gone through computer security audits, and they probably need to talk to the auditor (which is actually either an audit government agency or company) about what plans and documents are required.

On the specific question: The answer ultimately has to come from reading the PCI DSS standard, but it seems plausible that enabling either process accounting (which logs all external, but not builtin commands) or file operation accounting (which logs the effect of all commands on files) will satisfy the requirements. A quick look at a compliance guide (search for IBM Payment Card Industry DSS compliance) does not say anything about shell command logging.

And finally, the sh and bash shells (on both Linux and FreeBSD) have a trap command, but it is not for logging of all commands, but for handling signals. If the claims that they use it for that purpose in the PCI compliance framework on Linux, then I'm very confused.


----------



## msplsh (Jun 9, 2022)

Section 10.2.2

I think the OP is going to want to look at auditd(8)


----------



## Eric A. Borisch (Jun 9, 2022)

I’m guessing they’re referring to something like this for logging bash: https://confluence.atlassian.com/co...nd-line-audit-logging-in-linux-956166545.html

This uses bash’s trap DEBUG to do logging. So long as you’re trying to log user actions and they aren’t trying to avoid it, I suppose this works to some level; it can easily be reset/disabled, and doesn’t track what other applications or shells do. (Not all actions on a system flow through a shell…)

You could certainly choose to do something similar on FreeBSD (install bash, set that as root’s shell, configure default trap DEBUG in the initialization scripts… but there are parts of that which are in general avoided (using a non-base-system shell for root, for one), and it’s certainly not a logging method to capture malicious use, _but it could at least log unintentional actions made in good faith_.

As I started with way back in this thread, audit(4) is more designed for capturing bad faith actors, but it has its own limitations. If they are already root on your system, however, it can’t stop them from working around it.

So you really need to define what types of things (malicious? accidents? access attempts? shell command histories?) you are trying to capture; I’m  it familiar with PCI, but if it is like most security standards, it is frustratingly vague about what exactly is required/expected, providing a lucrative consulting opportunity for those involved in its creation.

See also accton(8) (and associated /etc/rc.d/accounting) and security(7) for further reading.


----------



## grahamperrin@ (Jun 9, 2022)

msplsh said:


> hello typo



FreeBSD bug 264576 – builtin(1): corrections to grammar


----------



## cy@ (Jun 9, 2022)

I don't know of any other shell that can do this but enable the SYSLOG option of shells/bash. The downside is that your users must all use bash. Kinda draconian but it's the only tool I know of.

An example of this is Broadcom's Layer 7 product. Originally written by a Vancouver, BC company called Layer 7, bought by CA, which in turn was purchased by Broadcom. Typical corporate stuff.

Layer 7 is an API gateway (Layer 7 firewall). The shell is bash and all commands are logged to syslog.

If your syslog is configured correctly, you can send that to a syslog collection machine.

Other than that you're looking at history and $PS1 hacks, any of which can be circumvented by the user.

If  you're willing to do that with FreeBSD's Bourne or C shell, you'd need to patch it like the bash patch.


----------



## Eric A. Borisch (Jun 9, 2022)

cy@ said:


> I don't know of any other shell that can do this but enable the SYSLOG option of shells/bash. The downside is that your users must all use bash. Kinda draconian but it's the only tool I know of.



If you're not familiar, he's describing building and installing shells/bash from the ports tree with the SYSLOG option enabled.

(And again, really only useful for users intending to be logged -- and still only actual commands run via bash.)


----------



## SirDice (Jun 9, 2022)

Mentioned in that Atlassian document:


> As an alternative you may consider Snoopy:
> 
> Snoopy is a small library that logs all program executions on your Linux/BSD system.



security/snoopy



> snoopy is merely a shared library that is used as a wrapper to the execve()
> function provided by libc as to log every call to syslog (authpriv).


Looks like this hooks in at a lower level, making it indifferent to the shell being used. Probably won't log builtin(1) commands though. But it might still be worth checking out.


----------



## DavidMarec (Jun 10, 2022)

There is a snooping module, to watch other's TTY activity.

One has to first load the snp module:
`kldload snp`

then request to watch another tty:
`david:~>root@llanura:~ # w
10:06PM  up  2:23, 2 users, load averages: 0.08, 0.21, 0.23
USER       TTY      FROM       LOGIN@  IDLE WHAT
david      pts/0    unix:0.0  10:00PM     - w
david      pts/2    unix:0.0  10:05PM     - tcsh
root@llanura:~ # watch pts/2`


----------

