https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859725#M276550 <!--!*#--> am looking for some very good suggestions to log activity that occurs <BR />after individual login to UNIX. Scenario: <BR /><BR />1. Log all the commands executed by the user after user login into the <BR />UNIX account. <BR />2. Also, if after login user "su" to other login, log all the commands <BR />executed in that "su" login. <BR /><BR /><BR />What I know is that this could be done by "scripts", but, we don't want <BR />to use scripts because: <BR /><BR /><BR />1. User can modify the files as it's accessible by him. <BR />2. Also, because it could be easily turned off. <BR /><BR /><BR />Is there any other better way ? I looked at syslog, sulog etc, but none <BR />of them gives me what I need. sulog just tells who logged in from which <BR />IP. <BR /><BR />UNIX being so powerful and profusion of utilities on it would have <BR />something in store that suits my requirement. <BR /><BR /> Fri, 08 Sep 2006 19:47:31 GMT MohitAnchlia 2006-09-08T19:47:31Z https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859725#M276550 <!--!*#--> am looking for some very good suggestions to log activity that occurs <BR />after individual login to UNIX. Scenario: <BR /><BR />1. Log all the commands executed by the user after user login into the <BR />UNIX account. <BR />2. Also, if after login user "su" to other login, log all the commands <BR />executed in that "su" login. <BR /><BR /><BR />What I know is that this could be done by "scripts", but, we don't want <BR />to use scripts because: <BR /><BR /><BR />1. User can modify the files as it's accessible by him. <BR />2. Also, because it could be easily turned off. <BR /><BR /><BR />Is there any other better way ? I looked at syslog, sulog etc, but none <BR />of them gives me what I need. sulog just tells who logged in from which <BR />IP. <BR /><BR />UNIX being so powerful and profusion of utilities on it would have <BR />something in store that suits my requirement. <BR /><BR /> Fri, 08 Sep 2006 19:47:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859725#M276550 MohitAnchlia 2006-09-08T19:47:31Z https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859726#M276551 Hi,<BR /><BR />The best way to accomplish this is to convert to a trusted system. If this is not possible, make sure that $HISTFILE is set for the user, and than $HISTSIZE is a sufficiently large value.<BR /><BR />You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea.<BR /><BR />'script' or a similar utility (e.g. GNU Screen) would be another option, although these would incur overhead.<BR /><BR />PCS Fri, 08 Sep 2006 20:07:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859726#M276551 spex 2006-09-08T20:07:09Z https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859727#M276552 First activity can be done when you convert your system to trusted mode. Then you can turn on auditing for the system which logs all activity. But it is not a good idea if you are not going to monitor the logs.<BR /><BR />Install sudo package so that you can assign root privilages to users and once user sudo's to root then activity will be logged onto .sh_history. <BR /><BR />As spex said above you can set history file to hold all activity. Fri, 08 Sep 2006 20:24:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859727#M276552 IT_2007 2006-09-08T20:24:37Z https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859728#M276553 <!--!*#-->As suggested by "Spex", How can I do this:<BR /><BR />"You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea."<BR /><BR />Also what's the overhead of converting it to trusted mode ?<BR /><BR />Could acct, acctmon etc. be used ?<BR /><BR /> Fri, 08 Sep 2006 22:09:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/audit-user-login-commands-executed/m-p/3859728#M276553 MohitAnchlia 2006-09-08T22:09:17Z