topic Re: enhancing user activity tracking in Operating System - HP-UX

enhancing user activity tracking

Bobby Gunn — Tue, 03 Dec 2002 00:12:47 GMT

Your help is needed in resolving the details of an idea that I had on enhancing user activity tracking.

The given is that the user has access to their own sh_history file and can make changes (i.e. cover their tracks). We???re utilizing the Bourne shell (/bin/sh) for our system functions and the Korn shell (/bin/ksh) for the user???s startup program.

What we need to figure out, is a way to duplicate what is written by the shell to a user???s sh_history file. The duplicate entry will need to be written to another specified file in a restricted directory (i.e. /var/adm/usrlog/.username.log). This way if the user deletes entries in their own sh_history file, the original commands will still exist in the duplicate file.

Trying to work around user deniability. Any ideas?

Re: enhancing user activity tracking

Michael Tully — Tue, 03 Dec 2002 01:16:16 GMT

Hi,

There are probably a couple of ways. One would to be use 'logger' to capture the user information into a logfile. The second, you could use cron to make copies of the hostory file. If you use a trusted system you could turn on system auditing.

Only thing I would be hesitant doing would be any legal fall out. This would of course depend on your countries leagal system in doing this.

# tail -f ~username/.sh_history |while read line
do
logger $LOGNAME":"$line
done

Logger writes the output to syslog
You could then run grep on the user to get the commands that have been posted.

HTH
Michael

Re: enhancing user activity tracking

Bobby Gunn — Tue, 03 Dec 2002 20:39:21 GMT

Thanks Michael.