1

I want to know which websites/URLs are visited by users of my home computer's guest account.

Is there a way to log this and save it as nicely formatted list to the disk? I only need date/time and visited URL. If possible, full URLs would be nice, but domain only is also good for a start.

Update:

After having read the linked answers and suggestions in the chat from A.B., I ran the following command:

$ sudo iptables -A OUTPUT -m owner --uid-owner 499 -j LOG --log-prefix='[GUEST INTERNET ACCESS] '

after having set the guest account UID to the fixed UID 499 following Set or determine the UID range for guest accounts.

But the /var/log/kern.log still doesn't contain those logs but lots of messages by apparmor that tell it denied something:

Nov 18 11:19:22 wolf-pack kernel: [ 1030.063374] audit: type=1400 audit(1447841962.731:164): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/stdout" pid=4693 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=499 ouid=0

I have posted a separate question about the AppArmor problem here: AppArmor blocks logging set up through iptables for guest account - How to enable?

Community
  • 1
Byte Commander
  • 105,631
  • 46
  • 284
  • 425
  • One way would be to log using iptables: http://askubuntu.com/a/348448/158442 (instead of `-s x.y.z.w`, maybe `-m owner --uid-owner guest`) – muru Nov 09 '15 at 11:50
  • Yep, like http://grokbase.com/t/centos/centos/08251xy1j6/log-outbound-port-80-connections, adding `https` and logging just the first packets (start with the third answer there). It's a bit of work but doable. Good Luck! – Rmano Nov 09 '15 at 11:55
  • @muru Can you write that as a short answer? I've never delat with iptables or such kernel logging stuff yet, so I'm pretty lost at the current point... – Byte Commander Nov 09 '15 at 12:03
  • That will take time, I'm not near a suitable system at the moment. I'll post one later today. – muru Nov 09 '15 at 12:07
  • @muru I thought I should remember you that you wanted to post an answer here a few days ago? – Byte Commander Nov 17 '15 at 09:15
  • You could log DNS lookups. Not absolutely what you're looking for, but really easy: `sudo tcpdump -i eth0 -n | grep "\.53"`. – Mark Smith Nov 23 '15 at 16:32
  • @MarkSmith How would I set this up to capture the guest account's traffic only and log it in a nicer format? And isn't there a DNS cache so that addresses that were used once don't get looked up several times? – Byte Commander Nov 23 '15 at 16:40
  • There was a typo in my command, sorry. `sudo tcpdump -i eth0 -n | grep "\.53:"`. (Note extra colon.) That will clean up the output a bit. I don't know how DNS caching will affect it - AFAIK it's probably somewhat up to your web browser how it does that. I also don't know of an easy way to filter by user, sorry. It's not perfect in many ways - it also shows lookups for in-page adverts and so on - but it's quick and easy and sort of basically lets you see what someone's up to. – Mark Smith Nov 23 '15 at 16:44
  • @MarkSmith Okay, if you now only display the time and URL column, filter all requests but those from the guest account and let it append everything to a log file, it would be a minimal but valid answer. – Byte Commander Nov 23 '15 at 16:51
  • `sudo tcpdump -i eth0 -n | grep "\.53:" | cut -d " " -f 1,8 >> my.log` Everything except the filtering by account - I don't know how to do that, sorry. – Mark Smith Nov 23 '15 at 17:00
  • @MarkSmith Could the script somehow determine which user is currently operating (uses the active TTY) and pause while this is not UID 499? – Byte Commander Nov 23 '15 at 17:21
  • All suggestions here miss the point that URLs are part of the application layer and to propose solving this on just IP/TCP layer doesn't have much in common with what's being asked here. – Marcin Kaminski Nov 29 '15 at 13:58
  • @MarcinKaminski I appreciate your different view on this topic. May I ask why you decided to delete your answer about setting up a proxy again? – Byte Commander Nov 30 '15 at 13:24
  • @ByteCommander I think you might have forgotten you asked me to move this answer from below question #699539 to this very question. Either way, moving on since it seems people prefer using a hammer to install a screw :) – Marcin Kaminski Dec 05 '15 at 00:09
  • @MarcinKaminski Thanks, but I have not forgotten it, I just did not find time to try it out yet. Here's an upvote already, as it looks good, but I will have to test it in a few days... – Byte Commander Dec 05 '15 at 18:02

2 Answers2

2

I think your intention is clear here: log URLs of websites visited by anyone using any application as the guest user.

Suggesting iptables logging to achieve this task isn't correct. iptables (without some obscure, performance-limiting extensions) works on the IP protocol, not on the application level.

I've also seen suggestions in the URLs suggested as comments - responders suggested only capturing packets with SYN flags (new connections). That too, results from a misunderstanding described above.

The way to achieve what you want is:

  1. Install a web proxy (preferably lightweight, such as tinyproxy).
  2. Add iptables rules that redirect outgoing connections made by only a specific user to ports 80,443/tcp to the local proxy.

What I had in mind is described here (not my post). This way you get a web proxy log which has all the HTTP requests logged. You won't get logs related to SSL protected traffic though, which is a good thing.

To reiterate: URLs are not part of the IP or TCP header structure, thus something working on the IP/TCP level isn't going to be able to show you this data, unless it has some TCP dissector (tcpdump/wireshark are able to do this but not iptables alone).

Marcin Kaminski
  • 4,881
  • 21
  • 35
-4

Have you tried this:

sudo iptables -A output -m owner --uid-owner 499 -j log --log-prefix="'/var/log/kern.log$'uri"

and it might help fine this way.

Byte Commander
  • 105,631
  • 46
  • 284
  • 425
Michael
  • 2,449
  • 5
  • 19
  • 24
  • This is almost the same command as the one I have already tried and described in my question, except that it does not work because you wrote `log` instead of `LOG`, and that you set a different log-prefix, which is not important. – Byte Commander Nov 23 '15 at 16:27
  • If you add before the log this --force-yes it might work fine this way. – Michael Nov 30 '15 at 16:58