topic Re: find out all user in Operating System - HP-UX

find out all user

prateek_1 — Tue, 24 Feb 2009 07:47:33 GMT

I need to find out all user who logged in my host and what modification they done.

Re: find out all user

Ganesan R — Tue, 24 Feb 2009 07:54:25 GMT

Hi,

Need more details. If you need to know the currently logged in users use #who -u command or #w

If you have enabled auditing you can findout which user did what.

Re: find out all user

Sani — Tue, 24 Feb 2009 09:22:01 GMT

Hi ,

use "whodo" to find out logged in users and process running by those users.

Regards
Sani

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 09:25:44 GMT

I need all user currently as well as previously logged on system and in which file they done any modification with the IP address of user.

Re: find out all user

T G Manikandan — Tue, 24 Feb 2009 09:31:11 GMT

What version of HPUX you are running, you need to convert your system to a trusted mode to enable auditing to find all information.

Re: find out all user

Johnson Punniyalingam — Tue, 24 Feb 2009 09:35:07 GMT

Hi Prateek,

Have you turn on audting in your Server .?

If you Server Trusted System.? if not bit difficult... :(

# last -R user1 user2 user3

(above command will give login history with IP address of user1,user2,user3)

Hope This Helps,

Tks,
Johnson

Re: find out all user

Robert-Jan Goossens — Tue, 24 Feb 2009 09:38:56 GMT

Prateek,

You need to have a look at the system audit tools. I don't know what versionof HPUX you are running, but have a look at the below link and search for audit.

http://h20392.www2.hp.com/portal/swdepot/searchProducts.do

Regards,
Robert-Jan

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 09:39:06 GMT

Hi,
how can i turn on audting in my Server,commands mentioned by you give me o/p like--
bash-2.05# last -R user1 user2

WTMPS_FILE begins at Thu Jan 29 19:42:29

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 09:40:29 GMT

im using 11.31 sep08 fusion.

Re: find out all user

Ganesan R — Tue, 24 Feb 2009 09:43:29 GMT

Hi Prateek,

Use SAM to convert the system into trusted mode. Once you converted to trusted you can enable auditing.

SAM -> Auditing and Security ->Goto Actions ->Convert the sytem

Re: find out all user

Fred Ruffet — Tue, 24 Feb 2009 09:54:55 GMT

Turning system into trusted mode may not be done to fast. It may have side effects that need to be studied.

Regards,

Fred

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 09:58:51 GMT

Thanks ganesan ,now i m able convert the system into trusted mode.

but above command are giving same o/p--

bash-2.05# last -R user1 user2

WTMPS_FILE begins at Thu Jan 29 19:42:29

i need to find out the ip of user and check where and what changes he/she had done.

Re: find out all user

Fred Ruffet — Tue, 24 Feb 2009 10:04:47 GMT

The "last" command will only tell you who logged in, from which IP and at which time. But it won't tell you what action has been made. If it's a shell action, you will have information in the .sh_history file of the user (if it exists).

Regards,

Fred

Re: find out all user

Jeeshan — Tue, 24 Feb 2009 10:05:10 GMT

duplicate thread has been opened. close one

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1316984

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 10:14:07 GMT

sure ahsan,

Re: find out all user

prateek_1 — Tue, 24 Feb 2009 10:17:32 GMT

Hi fred ,

.sh_history is not here but i can see some previous command on .bash_histroy.but its difficult to me to specify which command used by which user.could you help me on that

Re: find out all user

Duncan Edmonstone — Tue, 24 Feb 2009 10:17:57 GMT

Is this something you need to do going forward, or are you actiavely trying to determine a change that someone has made in the past?

If the latter, it sounds to me like its too late. Enabling auditing won't show you what happened *before* auditing was enabled! Only what has happened since it was enabled.

A couple of other points:

i) Don't convert to a trusted system... hou don't need to to enable autiting in 11iv3(11.31). In fact trusted systems will be deprectaed in a future release.

ii) If you really wanto to setup auditing correctly I suggest you *read and understand* the section of the manual that covers this:

http://docs.hp.com/en/5992-3387/ch10.html

It really isn't as simple as running a couple of commands and magically getting what you want. You bhave to take ther time to decide what you're going to audit and then configure collection and manage the ongoing production of audit logs...

HTH

Duncan