https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463611#M732801 OK - so I have started the auditing system taking mostly deault parameters, but dis extend the list of events within the /etc/rc.config.d/auditing<BR />AUDEVENT_ARGS1="P -e login -e admin -e delete -e modaccess -e open"<BR /><BR />I then logged into the sysetem via telnet, touched a file, vi the file, the rm the file, then logged out.<BR /><BR />Yet, when I then view the audit trial using audisp <MY auit="" file="">, I only see my login, but no other activity.<BR /><BR />I thought that the event list provided within the AUDEVENT_ARGS1 list would have captured all my events?<BR /><BR />any ideas where I have gone wrong on this one?<BR /><BR />thanks<BR />Johnny</MY> Wed, 29 Jul 2009 09:41:20 GMT Johnny2009 2009-07-29T09:41:20Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463604#M732794 Hi,<BR /><BR />Can someone recommend a product that would allow me to log details of users shell sessions? A bit like an expanded .sh_history file with timestamps for each command, &amp; also details of commands entered in sessions with databases &amp; other tools launched from the shell.<BR /><BR />TIA<BR /><BR />Johnny Tue, 21 Jul 2009 09:27:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463604#M732794 Johnny2009 2009-07-21T09:27:53Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463605#M732795 Hi,<BR /><BR />Enable auditing into your server...<BR /><BR />Suraj Tue, 21 Jul 2009 10:00:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463605#M732795 Suraj K Sankari 2009-07-21T10:00:22Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463606#M732796 Hi Jhonny,<BR /><BR />Then you should go for auditing enabled.<BR /><BR />Refer these links for more details<BR /><BR /><A href="http://docs.hp.com/en/5992-3387/ch10.html" target="_blank">http://docs.hp.com/en/5992-3387/ch10.html</A><BR /><BR /><A href="http://docs.hp.com/en/B2355-90121/index.html" target="_blank">http://docs.hp.com/en/B2355-90121/index.html</A> Tue, 21 Jul 2009 10:02:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463606#M732796 Ganesan R 2009-07-21T10:02:37Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463607#M732797 Shalom Johnny,<BR /><BR />I would go with auditing for the server as recommended above.<BR /><BR />I will however explain why.<BR /><BR />.sh_history is a wonderful file, but in order to log peoples actions they need read-write permission to the files.<BR /><BR />This means they can alter the contents.<BR /><BR />Auditing collects data in a file that only root can access. Therefore a user trying to cover their tracks or mistake can not.<BR /><BR />SEP Tue, 21 Jul 2009 10:25:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463607#M732797 Steven E. Protter 2009-07-21T10:25:18Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463608#M732798 If you are looking for an enterprise level solution with logging to remote server, where even the root user does not have direct access to, unlike auditing, I'd suggest using PowerBroker from symark software. Tue, 21 Jul 2009 11:16:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463608#M732798 Mel Burslan 2009-07-21T11:16:50Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463609#M732799 Thanks for the response guys. Appreciate it. Tue, 28 Jul 2009 08:22:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463609#M732799 Johnny2009 2009-07-28T08:22:40Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463610#M732800 Some places force everyone to run root commands using RBAC or sudo. But that's very intrusive, I don't like that solution.<BR /><BR />Something more transparent consists of using the auditing subsystem to log most exec() calls and you would have the equivalent of what you're looking for, i.e. a timestamp, a command, and a username.<BR /><BR />If on the other hand you want to log complete interactive sessions, meaning you would like to be able to playback what users did on their terminal and see what they saw, there is something now that does this and it's better than using script(1). I saw at HPTF2009 (in a non-NDA session) that HP developped such a tool, but I'm was not able to download Ron's slides so I don't know if it's available yet and what it's called.<BR /><BR />Good luck Tue, 28 Jul 2009 12:05:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463610#M732800 Olivier Masse 2009-07-28T12:05:33Z https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463611#M732801 OK - so I have started the auditing system taking mostly deault parameters, but dis extend the list of events within the /etc/rc.config.d/auditing<BR />AUDEVENT_ARGS1="P -e login -e admin -e delete -e modaccess -e open"<BR /><BR />I then logged into the sysetem via telnet, touched a file, vi the file, the rm the file, then logged out.<BR /><BR />Yet, when I then view the audit trial using audisp <MY auit="" file="">, I only see my login, but no other activity.<BR /><BR />I thought that the event list provided within the AUDEVENT_ARGS1 list would have captured all my events?<BR /><BR />any ideas where I have gone wrong on this one?<BR /><BR />thanks<BR />Johnny</MY> Wed, 29 Jul 2009 09:41:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/unix-shell-logging/m-p/4463611#M732801 Johnny2009 2009-07-29T09:41:20Z