debian - How to read current history of a still logged in user?
2014-07
gr0bz
I currently have a root SSH session on a Debian Wheezy server, and I see that another user is currently logged in (with an unprivileged account). As the user is still logged in, the command history is not showing the right thing because the history was not flushed and then the ~/.bash_history file is not up to date (it's still in memory).
How can I dump memory to see what a user has done during his session when he's still logged in?
kerolasa
Here is a small script that should dump the history. Notice that you need to be root to sneak memory space of other processes.
#!/bin/bash
if [ $# -eq 0 ]; then
echo "usage: $0 <bash_pid>"
exit 1
fi
gdb -batch \
--eval "set sysroot /" \
--eval "attach $1" \
--eval "call write_history(\"/tmp/bash_history-$1.txt\")" \
--eval 'detach' \
--eval 'q'
exit 0
p.s. Seeing error like 'warning: Could not load shared library symbols for...' can happen along with few other error looking lines. Try to find the history file from /tmp/ before begin too convinced the script did not work.
edvinas.me
You can't really rely on bash_history because it is not always saved or can be over-written. Also not everything is usually saved during multi-session use (that depends on configuration of course).
If you really need such data tracked then I would go on setting up acct which has useful tools like:
accommand prints the statistics of user logins/logouts (connect time) in hours.lastcommcommand prints the information of previously executed commands of user.acctoncommand is used to turn on/off process for accounting.sacommand summarizes information of previously executed commands.lastandlastbcommands show listing of last logged in users.
To install:
apt-get install acct
Then you must enable the service
service pcacct start
Darren Newton
I have a colleague with two teenage boys (yes, cue cliche's about 'I have this friend see...') He's currently having issues with them browsing pr0n and wants to do a little spying on their browsing (I'm staying clear of the philosophies/ethics on this.) The kids are savvy enough to clear their browsing history when they're done. As I'm his goto for IT he has asked me if there is a way to keep a hold of the browsing history.
The family uses Macs, and the kids surf with Safari. I know that browsing history is kept here ~/Library/Safari/History.plist. I figure there should be a way to write either an AppleScript or other script (Python/Ruby/Bash) that can backup this file to a different location (/opt/local/history, etc.)
Since the kids know to clear their history when they're done should the file be periodically backed up with something similar to a cron job or something like Hazel? While that could work it seems like it would create a ton of little incremental backups.
Or is it possible to 'watch' ~/Library/Safari/History.plist and incrementally add changes to a backup file (saving a diff so to speak) but not lose any data?
Any ideas/solutions appreciated.
UPDATE/EDIT: Got the word from concerned dad that the oldest uses Firefox on a different PC, so the OpenDNS solution (preferably at the router level) is the best answer so far as it would capture usage for the whole house.
Josh K
Easiest solution would be to open an account on OpenDNS and log the history through that. They won't be able to delete it.
If he finds it is a big problem, sites can also be blocked on OpenDNS.
hyperslug
This sounds like a good suggestion to prevent bypassing DNS:
Here's the setting of my router:
- IP: 192.168.2.254
- DNS: 208.67.222.222 208.67.220.220
- IP Filter: Blocks port 53 UDP
- A very strong password for its admin page
Here's what nslookup is like. First I try use the router's IP as the DNS:
> server 192.168.2.254 Default server: 192.168.2.254 Address: 192.168.2.254#53 > google.com. Server: 192.168.2.254 Address: 192.168.2.254#53 Non-authoritative answer: Name: google.com Address: 64.233.187.99 Name: google.com Address: 64.233.167.99 Name: google.com Address: 72.14.207.99Now I try use something other than my router's IP... like OpenDNS's IP!
> server 208.67.222.222 Default server: 208.67.222.222 Address: 208.67.222.222#53 > google.com. ;; connection timed out; no servers could be reachedSo now I can't use anything else but the router's IP as my DNS server... and the router has been locked to only use OpenDNS.
He's making his router the only device permitted to make DNS requests. All other network devices must use the router's DNS settings. The theory sounds good; I'll have to test it myself. Remaining workarounds:
- disconnect router and use internet directly from Cable/DSL modem
- accessing websites via IP address
You can address #1 by placing the DSL modem in a closet and locking it. This may require some rewiring and attic work. You can address #2 with a full content filtering router/proxy solution, which could be pricey or complex to set up.
And finally, these are only deterrents. If they can find a hotspot or a friends house then this is moot. The root of the problem - carnality, I suppose - will need to be addressed.
pqnet
if you go with dns solution have a look at ScrubIT (http://www.scrubit.com/), it's a free dns service which mantains a blacklist of websites which are not safe for family browsing.
otherguydude
If you really can't trust your kids, I would suggest OpenDNS. But before doing that, try to gain their trust and just make them stop going to bad sites without OpenDNS. Try using Windows live parental controls or Mac parental controls to check their history and bad sites. If they still go to those, then use OpenDNS.
random
Go in to browser properties and set up a password for clearing the browser history.