topic Re: user login record in Operating System - HP-UX

user login record

Yu Zhen_1 — Wed, 05 Dec 2001 01:14:51 GMT

someone has make some modification on the system, and I'm trying to spot who make the change, from where(IP address). Which log or command can show me this information?

Re: user login record

Steven Sim Kok Leong — Wed, 05 Dec 2001 01:24:55 GMT

Hi,

For usage accounting, you can use runacct (run accounting mode) and acctcom (list accounting records). man runacct and man acctcom for more information. This comes with HP-UX PRM application.

To track what the opened files and opened processes from a specific IP address, you can only perform it in real-time mode using lsof. lsof is a third-party utility that does not come with HP-UX.

If you just want to monitor the network services used from a particular IP. In historical mode, enable inetd -l for inetd logging. In real-time mode, use netstat -f inet or lsof.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: user login record

Michael Tully — Wed, 05 Dec 2001 02:02:14 GMT

Hi,

Unless you already have some sort of
system accounting or auditing, it would
be extremely difficult.

To prevent this occurance first thing to
do would be search the system for any
files that are:

-rw-rw-rw- 1 root root 1116 Dec 2 05:33 file
or
-rwxrwxrwx 1 root root 1116 Dec 2 05:33 file

and change them to more appropriate privleges.

Change the root password.
Search through the /var/adm/sulog for the persons responsible that should not have access.
Make sure that you /var/adm/inetd.sec file
is secure.
Implement something like 'sudo' to assist in
your security.
Add the word 'console' to /etc/securetty
(without the quotes) so that users cannot login
directly as root.

HTH
-Michael

Re: user login record

Darrell Allen — Wed, 05 Dec 2001 02:44:37 GMT

Hello,

I'm afraid it will be a difficult if not imposible task to get the information you want. You can use the "last" command to see when people logged in. You can use "who -a /var/adm/wtmp" and get more information. /var/adm/sulog lists people who changed accounts with "su". /var/adm/syslog/syslog.log may have some information depending on the logging options you have. Most of this is not going to tell you who did what though. Unless you had a tool in place before-hand, you're going to be very limited in what you can find.

Darrell

Re: user login record

Michael Tully — Wed, 05 Dec 2001 02:50:59 GMT

Hi,

If you track down the person through
either /var/adm/syslog/syslog.log
or /var/adm/sulog you could look
into their home directory and view
their .sh_history file

If they are smart enough they will have
already covered their tracks, but they
may not have.

-Michael

Re: user login record

Uday_S_Ankolekar — Wed, 05 Dec 2001 02:53:53 GMT

Hi,

Enabling auditing would help in most way.
If you have doubt on somebody who could possibly making changes than by checking .history file in that perticular users home directory.
Who -R would show you the person loging in from where, when he had logged in.

-USA..