On Ubuntu Artful 17, as a priviledged user, how can I get an email (possible nightly) with information about - what GET requests were sent to port

Question

On Ubuntu Artful 17, as a priviledged user, how can I get an email (possible nightly) with information about

• what GET requests were sent to port 80
• who attempted ssh connections to port 22
• after a "regular user" logged in via ssh
  • what shell commands did they execute
  • did they try sudo
  • did they try to read or delete /home/otherother/* files

Answer 1

About your question:

1. You can check all your received requests to port 80 in your web server logs.

   • In Apache, its logs can be found in the following addresses depending on the GNU Linux distribution and version.
     • /var/log/apache/access.log
     • /var/log/apache2/access.log
     • /var/log/httpd/access.log

2. About checking your SSH logs, please refer to the following links:

   • How do I keep track of failed SSH log-in attempts?
   • Where does Ubuntu 14.04 log SSH access attempts? [duplicate]

3. You can check the ALL commands executed by another user by opening the .bash_history file, located in /home/<username>/.bash_history, also keep in mind that the user can delete this log file.

Executing tail /var/log/auth.log | grep <username> should give you a user's sudo history.

If the user spawned a shell with sudo -s, sudo su, sudo sh, etc, then the commands executed may appear in the history file of the root user, located in /root/.bash_history.

If you want a tool built for this purpose, you can check for sysdig. It is packaged in artful and other Ubuntu releases.

Sydig is an open-source, cross-platform, powerful and flexible system monitoring, analysis and troubleshooting tool for Linux. It can be used for system exploration and debugging.

You can execute sysdig -c spy_users to display every command that users launch interactively as well as every directory users visit.

Also you can use spy_port to show the data exchanged using the given IP port number.

Hope this helps.