10

Is there any method to log vi activities? I suspect that another user is issuing commands by going into the shell inside the vi editor, apparently those command doesn't record into history.

Desperatuss0ccus
  • 252
  • 1
  • 4
  • 9
vnix27
  • 856
  • 2
  • 11
  • 19

3 Answers3

7

How are you logging their activities right now? The easiest is to block them from launching shells from vi.

# vi /home/user/.exrc
set exrc
set shell=/bin/false
# chown root:root /home/user/.exrc
# chmod 644 /home/user/.exrc
# chattr +i /home/user/.exrc

If you're using a special shell to log their commands, you could change vi to use that shell only.

Steven
  • 3,009
  • 18
  • 18
6

You can also turn on process accounting ( s/can/should/ !)

You can then use:

lastcomm(1)

to see the command run and if they were run after a fork, with or without an exec.

Combined with a host based IDS this should give you what you need "that the King's justice may be done upon him."

chiggsy
  • 1,576
  • 1
  • 15
  • 20
4

Are you talking about the shell history? vi shell mode (:sh) launches the user's default shell If that is bash then you can make sure that history logging is always enabled by editing the global /etc/bashrc and adding:

set HISTFILE=~/.bash_history
shopt -s histappend
PROMPT_COMMAND='history -a'

that will ensure that every user command gets logged to a file, it doesn't get overwritten, and it gets updated every time the shell prompt appears.

Note that users can override this in their personal ~/.bashrc so this is not an absolute guarantee that logging will happen.

Some versions of vi (like nvi) support a safe mode that disables shell access, via starting vi as nvi -S. You could set a global alias in /etc/bashrc to force this mode by default as well.

Note that in general the issue of users getting to the shell via unexpected means is a classic unix problem. There's no way to disable this completely, the best you can do is try to limit the access by default. A sophisticated user (or even a user who knows how to use google) can always get around these restrictions. For example if a user doesn't want his shell history logged he could always just exec a new copy of the shell with whatever options he wanted to use.

Here's a great writeup of how to force logging in bash and the ways that logging can be circumvented.

Finally, have you considered just talking to the user to determine what they are doing? 99% of the time simple verbal communication can clear up any confusion. If you are logging this user's activity because you don't trust them, maybe you can talk to them about your concerns.

Phil Hollenback
  • 14,647
  • 4
  • 34
  • 51