topic Re: Checking user login in Operating System - HP-UX

Checking user login

Kenneth Yap — Thu, 28 Jun 2001 01:20:16 GMT

Dear Expert,
How to check, who user telnet in, rlogin to the server and what are the user doing...?
So that, all the information will login to a log file.
Anything happend to the server, we can check back the log file that known who is causing the problems...
Because every time 2or3 users login using root to login.....Can we check who is using the root to login..?

Regards,

Kenneth

Re: Checking user login

Animesh Chakraborty — Thu, 28 Jun 2001 01:58:32 GMT

Hi Yap,
Beside monitoring /var/adm/syslog/syslog.log,
and /var/adm/sulog,you can use 'last' command to track all the users.Other commands you can use 'whodo',who -u,
Even you can restrict use of super user using a script.
Hope this will help
Thanks
Animesh

Re: Checking user login

Michael Tully — Thu, 28 Jun 2001 02:59:02 GMT

Kenneth,

Check the following files:
/var/adm/syslog/syslog.log
/var/adm/sulog

The last command will reveal the direct
login of users, but not who they are if
they login as root.

Suggest you change the root password
if you can't identify the people who have
access, also look at installing a well
proven product called 'sudo' which is free
off the following link.

http://www.courtesan.com/sudo

Good luck
Michael

Re: Checking user login

Rainer von Bongartz — Thu, 28 Jun 2001 06:24:09 GMT

HP has a product called IDS/9000 (you can download it for free frpm software.hp.com)

This Intrusion detection system lets you monitor logins as well as removal of files and lot's of other things.

Perhaps you should give it a try .

Re: Checking user login

Ravi_8 — Thu, 28 Jun 2001 06:44:14 GMT

Hi,
'last' command gives you who are all logged in. to know who are all presently loggedin and what they are doing use command'w'(just w).
To make out who shutdown the system look into /etc/shutdownlog file.

Re: Checking user login

federico_3 — Thu, 28 Jun 2001 07:05:12 GMT

Also finger can help you.

Re: Checking user login

Herve BRANGIER — Thu, 28 Jun 2001 07:42:12 GMT

Hi

If you want to audit users (and some others
things) you can transform your system to a
trusted system.

You can find information in you docs...

In sam :
Auditing and security -> Audited users (accept
to go in Trusted mode)
-> audit users
Choose a user and start audit. By reading log
file (in action menu) you can see differents
actions (login, ...).

Remember that TS is a big modification in your
systeme... But you can go back (see in sam :
unconvert option, or /usr/lbin/tsconvert -r)

HTH

Herve

Re: Checking user login

John Sisak — Thu, 28 Jun 2001 19:17:24 GMT

This is a policy suggestion as well as a technical suggestion:
1. I agree with Michael. Restrict the knowledge of the root password to the Unix administrator and his or her backup.
2. Make separate ids which have uid=0 for everyone (including yourself) who needs root authority (not necessarily everyone who WANTS it.)
An easy way to do this is to form the id by adding a zero at the end of their non-root ids (e.g. joe smith has an id, jsmith, with uid=201, and a "root" id, jsmith0, with uid=0.) This way, each user has a separate home directory and shell history file.

Many users think that having root authority will make their lives easier but it can also be a huge liability (like if the user is not careful and executes rm -rf * while in /.)

Re: Checking user login

Wilmar Ricio — Thu, 28 Jun 2001 20:56:44 GMT

Hi Yap,

What happened to you happens to me before.

Aside from whats mentioned above monitoring syslog, sulog and last command. Try capturing the .sh_history file of root or user which you suspect is creating your problem. It will show you the commands they entered.

.sh_history should be added to roots .profile or users .profile

HISTFILE=/.sh_history ; export HISTFILE
HISTSIZE=128

The last command will also show you the ip address or hostname where the other roots are logging in.

Re: Checking user login

Wilmar Ricio — Thu, 28 Jun 2001 21:05:04 GMT

One more thing I forgot,

As soon as you pinpointed the culprit and located his ip address, you can go to a WinNT dos prompt and run,
nbtstat -A ip_adress
will show you the users users_name & pc_name.

Hope this will help.

Re: Checking user login

Jason Morgan_1 — Thu, 28 Jun 2001 21:47:42 GMT

Two things...first thing first.

Restrict who knows the root password by changing it. And as a security measure. Place a file called "securetty" in /etc. This file contains nothing and the importance of this file is of its existence. Run `chmod 600 /etc/securetty` as well to make it rw to owner only. Make sure Root is the owner. This will disallow root from being able to telnet into the machine. This forces your users to log into your machines themselves and su to root. The syslog should keep track of su's as well as their personal and root's .sh_history files that keeps track of all commands run.

Second like ravi said run the command `w` to find who's doing what. How often you want this checked is a different matter. You can easily set a script up that run out of cron however often you want and writes the output of the `w` command into a log for a fairly good record of what is going on.

Re: Checking user login

Jared Westgate_1 — Fri, 29 Jun 2001 14:46:11 GMT

Hello Kenneth,

Have you considered using system accounting? If you have system accounting turned on, you can issue the command: acctcom -u username. This will show all the processes that have been executed for a given user.

There are also many other useful reports that you can run with system accounting. I don't know if this gives as much detail as you may be wanting, but I have found it very useful. Other reports show the system resource usage, by user. There is a report to show when and how long each user was logged in, a report to show a list of all commands that were run on the system. As well as a few other nice things.

I don't really know the impact on the system, as I am still evaluating it on our developement system. But, from other posts I've made on the subject, it should be minimal.

Good Luck,

Jared