System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How to check what did the user do in HP-UX 11i v1

SOLVED
Go to solution
Gary L
Super Advisor

How to check what did the user do in HP-UX 11i v1

Hi

We are some HP-UX rp box running HP-UX 11i v1. I'm the root user.

For user management and check what did the user do, can I get a command to check which user have ran which commands? For example: I want to list all the commands that user user_a has run just now. Like in root, the "history" command.

Thanks, Any answers will be very appreciate.

-G


14 REPLIES
Hakki Aydin Ucar
Honored Contributor
Solution

Re: How to check what did the user do in HP-UX 11i v1

Hi,

There is no facility in HP UX to see what other do exactly, but there is some limited thing like :

whodo
a description of who is doing what
on your system.

and if you are root su - user_a and can check

more /home/user_a/.sh_history

but no timestamp there ..
Patrick Wallek
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

If you have the history function set up, you can check that for each user. However, there is no time stamp in the history file. The commands run could from 2 seconds, 2 minutes, 2 hours, 2 days, 2 weeks, 2 months or 2 years ago.

If you need to do auditing to this level, there is a commercial product called PowerBroker that accomplishes this.

http://www.beyondtrust.com/products/pboverview.asp
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Thanks Hakki Avdin for your fast reply and good answers above.

I know the command "whodo", it only get very less info. But .sh_history is the one that I'm looking for except on timestamp. But it's okay now, I could guess.

Thanks a lot.

Have a good day.

-G
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Hi Patrick

Thanks for you answers.

In root, I just know to run command # history and # history -100.

How to get the info of 2 sec ago, 2min ago, 2hours ago ...

2. How to get other user's info like 2 min ago, 2 hour ago as root user?

-G
Hakki Aydin Ucar
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

Hi Gary,

on second though, check if you have bash shell:

bash

you can do a trick to have history file with timestamp :

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1375354
Matti_Kurkela
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

If you want a record with timestamps that is not easily tamperable by regular users, you must enable the audit subsystem of HP-UX. In 11.11, this requires that the Trusted System Mode is enabled (among other things, this means the encrypted passwords will be stored in the /tcb directory tree, not in /etc/passwd).

Before enabling the audit sub-system, you should set up a place for the audit logs. The default location for them is on the root LV, which is a very bad choice: the audit log can grow with no limit and once it fills the root filesystem, no one can log in anymore. You must then crash the system, boot it to single-user mode and clear up the mess. This happens to quite a few people when testing the audit sub-system for the first time.

Configure the audit log destination so that it is on a non-root disk *before* enabling auditing, and monitor the accumulation rate of the audit logs. Trust me on this.

For auditing just "who ran what when", you'll need to pick an audit event category that logs the exec() family of system calls and not much else. By a quick look through "man audevent", this would probably be the "process" category.

Warning: if you choose log the events in categories "open" and/or "create", you are likely to get *much* more log output than you expect. Even the execution of a single command will cause many files to be opened for reading. If you enable these log categories, the amount of work the system needs to do for logging may take a non-negligible chunk of the system's capacity for actual useful work.

MK
MK
Patrick Wallek
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

You misunderstood what I said about the times.

With the history file in HP-UX there is NO WAY TO KNOW when a command is from. It could be from any time, 2 minutes ago or 2 years ago, and you would NEVER know the difference.

You can look at the "history" file with cat, more or vi. The name of the file is defined in your .profile via the HISTFILE environment variable.
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Hi MK

Thanks for your detail explanation above. Most our HP-UX system are C2-level Trusted System, so I will give it a try.

Thanks

-Gary
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Yes, I got misunerstood about 2 sec ago, 2 min ago.

I have got how to check history file for everyone through .sh_history file.

Thank Patrick.

-Gary
Bill Hassell
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

This was recently discussed (how to add a time stamp to the shell history file. You can use the trap/debug technique described at the end of this link:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1375354

which requires changing all the user profiles. Or create this script:

#!/usr/bin/sh
set -u
for ACTIVE in $(who -q | grep -v users)
do
echo "## $(date)" >> ~$ACTIVE/.sh_history
done

This script uses who -q to get just a list of logged-in users, then appends the current date-time to .sh_history in their home directory. You can save this as a script and put it into root's cron to run a few times during the day.

Now everyone's .sh_history will be time stamped while they are logged in.


Bill Hassell, sysadmin
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Hi Bill

I have tried your way, that script worked but it looks like just one time use only.

I ran you script and ran bdf, ioscan -funC disk, cd / for test. In cmd history output, just bdf was marked timestamped, the other two like normal one without timestamped, details are as follows, how to use it?

# history
...
1063 /home/user/whodowhen.sh
1064 ## Tue Oct 6 16:35:04 EDT 2009
## Tue Oct 6 16:35:04 EDT 2009
## Tue Oct 6 16:35:04 EDT 2009
bdf
1065 ioscan -funC disk
1066 cd /
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Hi Hakki Aydin

Thanks a lot for your hyperlink above, I checked, found one look good and worked fine but need added two entried to each user's .profile file for all HP-UX servers.

-G
Bill Hassell
Honored Contributor

Re: How to check what did the user do in HP-UX 11i v1

> I have tried your way, that script worked but it looks like just one time use only.

You probably missed the comment about cron. This scriupt must be run several times each day. To do this, you place the script into root's cron and specify that it run every 2 hours or whatever time you would like to use. Here is an example of a cron entry:

0 1,5,10,15,20 * * * /usr/contrib/bin/timestamp.sh

The script will be run every 5 hours. This assumes that the script has been created and stored in /usr/contrib/bin as the file: timestamp.sh


Bill Hassell, sysadmin
Gary L
Super Advisor

Re: How to check what did the user do in HP-UX 11i v1

Got it thanks a lot.