User access logging

[Jawelin]

I would keep a history log of all accesses to the board for auditing reasons (the third 'A' of 'security' concept, along with Authentication and Authorization.... !!!! ).

Infact I had some problem of stolen pw or accounts... Now, running 2.2.1 with MD5 hashing, still have some users saying they didn't something .... etc...

So, I WOULD A COMPLETE LOG of all accessed pages (even read!), with userid and IPs, not only the time-periood-limited session.
Infact I saw the session table storing that infos, but only for the time specified in options about the 'online' time...
Just later that info are deleted from that table and lost forever.
Could I - for example - move them to an history-purpose table or, better, to a seq file on the server ?

Could someone help me in this hack/not hack idea ?

Thanks a lot.
Bye

[Scott MacVicar]

I already log all logins to the board, what IP they came from and time etc, though I think logging every single action would be pushing it and take up a ridiculous amount of space.

[Jawelin]

Sorry but haven't understood... Where are you logging all these access infos ?
I guess are logged ONLY the registration time IP and the last access time to the board, not the actions and the source of these actions (actually they are trashed, with the browser info and so on...)
What else and where stored ?


P.S.: 'ridiculous amount of space'... Do you mean 'too much amount', don't you ? Yeah, I was thinking about a sequential output (appending to) file which I can 'storicize' periodically, gzip and/or delete after downloading and putting offline...
That's what I mean for auditing issue


Thanks

[Scott MacVicar]

this modification i made logs the IP and userid of every user everytime they login to the board or return to the board after the session timeout, i then dump it from the mysql table and gzip it once a week then i empty the table and the process starts again, I've used it to find out the most popular ISP on my board is AOL x_X

[Jawelin]

Do you mean your great hack Failed Login Logging ?

I installed it and follow all the modifications, but it only traces the failed logins (bad pw) to the 'loginlog' table...
Not a real audit !

Or, if you mean something else, could you give me (here?) a hand to create something like yours ?
I guess I should dupe the DB-Query instruction when inserting a row into 'session' table, for example into a 'session_history' one...

Later I could drop that periodically after a backup...

What do you think about ?
Thanks.

[Jawelin]

Hey, are you there ???
Happy new year!

Sorry but, as usual, I tried to do myself but this time I think it's a too-big hack for me...
I searched for all the INSERT/UPDATE to 'session' table, but they are too much - and too complex - to duplicate them (as I guessed) to another 'session_history' table, for example...
Could you give an hand with the code you talk about or something to localize better the effort I should address ?


Thank you very much.
Bye

[Scott MacVicar]

Nope its not the failed login hack but that inspired it

I will make the admin part of this hack in the super near future, but you can start the logging now.

create the following table


CREATE TABLE userlog (
userlogid int(10) unsigned NOT NULL auto_increment,
userid int(10) unsigned NOT NULL default '0',
ip varchar(20) NOT NULL default '',
atime int(10) unsigned NOT NULL default '0',
KEY id (userlogid)
) TYPE=MyISAM;


open /admin/sessions.php the following code will need to be placed somewhere in that file, maybe even multiple times, i'm still trying to work out where to put it o_O

PHP Code:

//the creation of a new session lets log the IP and userid as we may need to trace them :D
          if($bbuserinfo['userid']) {
            //they have a userid so there logged in
            $DB_site->query("INSERT INTO userlog (userlogid, userid, ip, atime) VALUES (NULL, '$bbuserinfo[userid]', '$session[host]', '".time()."')");
          } 


[Jawelin]

Thanks a lot.
I did some modificatons upon your input, as I would like to track some other field, too...
I'll check 'my version' and post it if works...

Meanwhile, could you confirm the very last part of your php-code
[...], '".time().")"); ???
There's a single quote not closed near the round, isn't ?

Besides, I think the best point to include the above if-clause is just below the first

PHP Code:

$DB_site->query("INSERT INTO session .... 


(as the second one is to create session for unregistered users (userid=0)...
Do you agree ?

Thanks.
CU soon.
Bye

[Jawelin]

Just another question... Hard, I think
Well.
At the above point in sessions.php, I would know (and store into log table) if the user comes from a 'cookied' login or a 'passworded' login...

I tried to check the following vars, but ....

• $createanonsession
• $loginpassword (if isset...)
• what else ???

Besides, if I would automate like you the backup/emptying of the table, could I use any croned mysql command ? What ?

Thanks again

[Jawelin]

Quote:

Originally posted by Jawelin

Besides, if I would automate like you the backup/emptying of the table, could I use any croned mysql command ? What ?

Thanks again [/B]