HPE Community
Operating System - HP-UX
1752796 Members
5957 Online
108789 Solutions
New Discussion

How to track commands issued by particular user in the last 3 days

 
NDO
Super Advisor

‎12-04-2018 12:11 AM

‎12-04-2018 12:11 AM

How to track commands issued by particular user in the last 3 days

Hi

 

I m trying to track commands that a partucular user issued in that last few days, but with no success. I have issued the following commands: "history -200", "last", one command that did not quite understand was the output of:

who -aHT
   .       run-level 3  Oct 31 16:14    3    0    S
   .       system boot  Oct 31 16:14
vxenable        .       Oct 31 16:14  0:03    263  id=vxen term=0   exit=1
bcheckrc        .       Oct 31 16:14  0:03    264  id=brc1 term=0   exit=0
cat             .       Oct 31 16:14  0:03    354  id=cprt term=0   exit=0
clu_spaw        .       Oct 31 16:14  0:03    355  id=cspd term=0   exit=127
rm              .       Oct 31 16:14  0:03    357  id=ems1 term=0   exit=0
sh              .       Oct 31 16:14  0:03    359  id=ems2 term=0   exit=0
fsdaemon        .       Oct 31 16:14  0:03    362  id=fs01 term=0   exit=0
fsdaemon x      .       Oct 31 16:14  0:03    364  id=fs02
fsdaemon        .       Oct 31 16:14  0:03    365  id=fs03 term=0   exit=0
sh              .       Oct 31 16:14  0:03    366  id=link term=0   exit=0
rc              .       Oct 31 16:15  0:03    369  id=sqnc term=0   exit=0

NAME       LINE         TIME          IDLE    PID  COMMENTS
LOGIN    + console      Oct 31 16:28  old    3148  system console
krsd     x      .       Oct 31 16:15  0:03   2750  id=krsd
sfd      x      .       Oct 31 16:15  0:03   2751  id= sfd
esmd     x      .       Oct 31 16:15  0:03   2752  id=esmd
cimserve x      .       Oct 31 16:15  0:03   2753  id=cim1
sh              .       Oct 31 16:15  0:03   2754  id=ems3 term=0   exit=0
p_client x      .       Oct 31 16:15  0:03   2757  id=ems4
iocdsfd  x      .       Oct 31 16:15  0:03   2758  id=cdsf
clu_dsf_        .       Oct 31 16:15  0:03   2759  id=cdin term=0   exit=0
utild    x      .       Oct 31 16:15  0:03   2760  id=util
bscsprod - pts/0        Dec  4 08:52  0:10  12548  10.100.4.28
bscsprod - pts/ta       Dec  4 09:04  0:30  12930  10.100.4.76
   .       pts/1        Nov  7 09:28  old    3657  id=   1 term=0   exit=0
   .       pts/2        Nov 16 12:01  old    7307  id=   2 term=0   exit=0
bscsprod   pts/tb       Oct 11 13:59  old   25691  id=  tb term=0   exit=0
bscsprod - pts/tc       Dec  4 09:12  0:09  13293  10.100.4.39
bscsprod   pts/td       Oct 29 18:53  old    8474  id=  td term=0   exit=0
bscsprod   pts/te       Nov 12 17:25  old   28751  id=  te term=0   exit=0
payments   pts/tf       Nov  8 19:08  old    5480  id=  tf term=0   exit=0
root     - pts/3        Dec  4 09:43   .    14427  10.100.4.72
bscsprod   pts/tg       Nov  9 02:18  old   19588  id=  tg term=0   exit=0
   .       pts/4        Nov 30 18:18  old   26679  id=   4 term=0   exit=0
bscsprod - pts/5        Dec  4 10:07  0:02  15384  10.100.4.28
bscsprod   pts/th       Nov  8 19:23  old    5239  id=  th term=0   exit=0
bscsprod   pts/ti       Nov  9 01:47  old   20863  id=  ti term=0   exit=0
bscsprod   pts/tj       Nov  2 18:51  old    2382  id=  tj term=0   exit=0
   .       pts/6        Dec  3 17:25 20:31   1809  id=   6 term=0   exit=0
   .       pts/7        Dec  3 21:19 15:54   9707  id=   7 term=0   exit=0
mcelbgh[310]/ #

did not understand the two docts under the username on the last two lines of this output.

0 Kudos
Reply
5 REPLIES 5
Bill Hassell
Honored Contributor

‎12-04-2018 07:32 PM

‎12-04-2018 07:32 PM

Re: How to track commands issued by particular user in the last 3 days 

bscsprod   pts/tj       Nov  2 18:51  old    2382  id=  tj term=0   exit=0
   .       pts/6        Dec  3 17:25 20:31   1809  id=   6 term=0   exit=0
   .       pts/7        Dec  3 21:19 15:54   9707  id=   7 term=0   exit=0

bscsprod logged in more than 24 hours ago (old) and has been inactive since then (Nov 2).
The user created a new shell session was started (typing the login command for example) using device file pts/6, then from that login, started another new shell session with pts/7 about 4 hours later. The dots indicate sublogins.

The who and last commands won't tell you what that user typed, just when they started and finished their sessions. The actual list of commands is stored in the file named in the user's session variable $HISTFILE. If you login as that user, then the shell's history command (which is aliased to fc) will report the most recent 10 commands typed by that user. To see all the commands, make a copy of the file $HISTFILE (by default, ~/.sh_history for ksh or POSIX shell) to examine offline. The history file has binary codes imbedded which render the history command non-functional is the history file is modified. There is no timestamp provided with these commands.



Bill Hassell, sysadmin
Reply
NDO
Super Advisor

‎12-04-2018 11:43 PM

‎12-04-2018 11:43 PM

Re: How to track commands issued by particular user in the last 3 days

Many thanks for the reply, but I guess $HISTFILE variable is not set by the typing of the following:

echo $HISTFILE
sh: HISTFILE: Parameter not set.

inside the user home directory.

Can I set this parameter in the .profile file in root directory, or must be in the user´s home directory? Because in its home directory there is only normal files..... user files I mean

0 Kudos
Reply
NDO
Super Advisor

‎12-05-2018 01:27 AM

‎12-05-2018 01:27 AM

Re: How to track commands issued by particular user in the last 3 days

Hi

 

I did found the ".sh_history" of some users, and I went through some of them, but with no "rm" command on it.

Can an "rm" command can oly be found to be used if auditing is enable?

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-05-2018 02:39 AM - edited ‎12-05-2018 06:29 AM

‎12-05-2018 02:39 AM - edited ‎12-05-2018 06:29 AM

Re: How to track commands issued by particular user in the last 3 days

You need every user to have a shell history. Set the history file name and size in /etc/profile like this
export HISTFILE=~/.sh_history
export HISTSIZE=2000


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-05-2018 02:47 AM - edited ‎12-05-2018 06:30 AM

‎12-05-2018 02:47 AM - edited ‎12-05-2018 06:30 AM

Re: How to track commands issued by particular user in the last 3 days

Don't look for rm, look for the filename itself. Then see what was done. Files can be damaged by simply deleting lines with vi and saving the file. Look for commands like ksh, sh, bash that start another shell, perhaps without a history file. And look at all cron jobs for the filename. A cron job can mess up a file.
Finally, a file cannot be removed if the directory permissions don't allow it. 777 is a bad directory permission.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.