Tripwire is designed to spot changes in system configuration tha effect security, show signs of hackers invading as such.
Its a great tool, I recommend it, but not for this application. Unless these folks are overwriting root access configuraiton files. Which means root password security is an issue.
You might want to harden your system with Bastille.
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AAThus far I've skillfully avoided actually answering your question.
Because users are coming in via a vpn, there may not be enough data on the hp system to figure out who did what.
inetd -l
Enhances logging of all internet connections including ftp and secure shell.
Start analyzing the /var/adm/syslog/syslog.log file for the transactions you care about.
Run them agains the vpn log if you are getting the vpn ip address in syslog.log
When you see an important file has changed, you should be able to match its time stamp against syslog and trace it back to the offender.
Thats the best I can think of so far.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
