topic Re: Looking at a shell ENV in Operating System - HP-UX

Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 14:06:25 GMT

Anyone know of a way to list the environment vairiables of a users active shell. I have a user that is screwing around and I want to see where he redirected his history (I think he does on the command line, after his profile runs). The only thing I can think of is to force a core a dump on the shell, but I would rather be a little quieter.

Re: Looking at a shell ENV

Alan Casey — Tue, 18 Dec 2001 14:09:05 GMT

As root you could su - tothe userid and look at the env there.

Or look at ~userid/.profile , .env , .login
Might find the answer there.

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 14:13:09 GMT

The problem is, he is setting these by hand after he logs in

Re: Looking at a shell ENV

Alan Casey — Tue, 18 Dec 2001 14:14:58 GMT

the only other thing I can suggest id to enable commands history for the user, and monitor them:

tail -f ~userid/.sh_history

You could then catch them out in the act.

Re: Looking at a shell ENV

Alan Casey — Tue, 18 Dec 2001 14:34:09 GMT

There may be a way to find if his history has been redirected fro his current shell.

With lsof or even fuser, you should be able to find all files open under this userid.
And locate the history

this may however be laborious.

Re: Looking at a shell ENV

Steven Gillard_2 — Tue, 18 Dec 2001 14:35:14 GMT

How about the "set" command with no arguments. Its built into the shell, so see the sh-posix(1) man page for details.

Regards,
Steve

Re: Looking at a shell ENV

Steven Gillard_2 — Tue, 18 Dec 2001 14:44:51 GMT

Ahh sorry, misread the question... only way I can think of to find their shell history file is with lsof.

Regards,
Steve

Re: Looking at a shell ENV

harry d brown jr — Tue, 18 Dec 2001 14:45:10 GMT

Do this:

readonly HISTFILE
readonly HISTSIZE

live free or die
harry

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 14:50:10 GMT

Thanks Harry, put that in /etc/profile. At least all new logins will be able to be monitored

Re: Looking at a shell ENV

harry d brown jr — Tue, 18 Dec 2001 14:51:27 GMT

Steven makes a good point, download lsof (if you don't already have it) from:

http://hpux.asknet.de/hppd/hpux/Sysadmin/lsof-4.55/

It doesn't require a reboot, it's just a binary.

Then "lsof | grep history", providing they didn't rename their history file, but you can do a "lsof | grep ".

live free or die
harry

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 14:54:06 GMT

tried that, it looks like the file isn't always open (tried it on myself). It looks like ksh just appends to the file when needed but doesn't keep it open

Re: Looking at a shell ENV

Steven Gillard_2 — Tue, 18 Dec 2001 15:08:37 GMT

In that case you could use tusc to find out what files the shell is opening. Eg:

# tusc -s 5

This will print out all the open system calls made by the process.

Another one of my personal favorites:

# tusc -s 3 -d 0

will print out all read system calls on stdin. So you can basically watch the users keystrokes as they are typed. Its always good to inform them of their spelling mistakes without having them read out what they have just typed over the phone :)

Cheers,
Steve

Re: Looking at a shell ENV

Steven Sim Kok Leong — Tue, 18 Dec 2001 15:15:38 GMT

Hi,

Three additional methods for tracing:

1) Enable auditing of user via sam. You will need to convert your OS to trusted before auditing can be performed.

2) Run account management via acctcom, runacct etc.

3) Use expect scripting to log all screen output of a user's login shell (I have seen it done on one system).

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 18:28:07 GMT

Steve,

I like that command, That will help a lot

THANKS

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 19:28:35 GMT

Steve,

it looks like the tusc command has a -e option to show env vars, but I can't seem to get it to work right. Either it's not what I think it is, or I am doing something wrong, any ideas?

Re: Looking at a shell ENV

Bill Hassell — Tue, 18 Dec 2001 20:01:10 GMT

Try sorting all the files in $HOME by timestamp:

ll -t ~user_name

The files at the top of the list were recently modified.

However, if this (ab)user is really hacing and wants no one looking over the shell commands, the HISTFILE variable may have been unset in which case the history file is no longer used.

The readonly suggestion probably makes a lot of sense, and you may have to append your company's security policy (you do have one don't you?) to state that "shell history files are required for system management and may not be bypassed".

Re: Looking at a shell ENV

Jeff Machols — Tue, 18 Dec 2001 20:11:37 GMT

Bill,

I am acutually running a find on all files that he owns. This user has been caught twice so I think he is definaltly hidding his actions, the tusc is working good, just a little cumbersome to try and read. There is nothing in the home directory, but I can see he is running commands.

Re: Looking at a shell ENV

Steven Gillard_2 — Wed, 19 Dec 2001 09:15:17 GMT

Jeff,

You're right - it looks like it will display them only on an exec*() system call though. Try running

# tusc -f -p -e

against a shell, then run a command in the traced shell. After the forked process does an exec you will see the environment variables that are exported.

I guess that would mean the real answer to your question is to run:

# tusc -f -p -e -s 59

That will trace the execve() system calls made by child processes of the users shell and print out the environment variables. See /usr/include/sys/scall_define.h for all the system call numbers.

Cheers,
Steve

Re: Looking at a shell ENV

Jeff Machols — Wed, 19 Dec 2001 13:47:19 GMT

Thats exactly it Steve, now I have the proof I need to get rid of this %$*@er