topic Re: user tracking in Operating System - HP-UX

user tracking

Raghuram Ollakal_1 — Tue, 02 Jul 2002 16:43:39 GMT

I am looking for some info regarding user tracking on a HP 9000 server running HPUX 10.20. We have more than 250 users on this server. Recently we notice couple of users are trying to get into other users home folder and coping files to others home directory etc. When we notice that we change the right for the home directory and make it only read only to all others other than the owner. My question is, there is a way we can monitor the users activity on the server. I sow under sam there is a Audited Users. Is this something I can use to se the users activity.

Re: user tracking

Sandip Ghosh — Tue, 02 Jul 2002 16:49:49 GMT

I think you need to change your system to a trusted system to take the advantage of that.

Sandip

Re: user tracking

PIYUSH D. PATEL — Tue, 02 Jul 2002 16:54:40 GMT

Hi,

Go to SAM and then convert your system to a Trusted System.

Piyush

Re: user tracking

Arockia Jegan — Tue, 02 Jul 2002 16:57:29 GMT

Hi,

convert the system to the trusted system,

#/usr/lbin/tsconvert -c

or

Do it through sam...

Then turn on the auditing...

Re: user tracking

Martin Johnson — Tue, 02 Jul 2002 17:00:25 GMT

Take care when you turn on auditing. If you audit everything you will need Gigabytes/Terabytes worth of storage for the audit log. Select carefully what you want to audit.

HTH
Marty

Re: user tracking

A. Clay Stephenson — Tue, 02 Jul 2002 17:04:03 GMT

The first thing that I would do is change the permissions on home directories to something more restrictive.

Re: user tracking

Bill Hassell — Wed, 03 Jul 2002 01:45:31 GMT

Unfortunately, the default permissions on an unmodified HP-UX box are not suitable for multiple users. umask is 00 which means that all root-created files and directories cannot be trusted and users will have the same problem: files=666, directories=777

First, explicitly set:

umask 077

in /etc/profile and /etc/csh.login

Then, change all /home/* directories to 700 and remove rw privileges for all files and directories in every user directory. Users can then give away permissions if they really want to, never by default.

To answer the question about watching the user activities, look at the .sh_history file in their $HOME directory. If the user is covering their tracks by zeroing this file or running a non-history shell like /usr/old/bin/sh, then you have a much bigger problem--the user is purposely trying to hack your system.