System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How to track who has done what and when in Linux

senthil_kumar_1
Super Advisor

How to track who has done what and when in Linux

Hi All,

 

Is there any feature in Linux (Redha / Suse) like even log viewer of windows where in we can see all activities of the users and OS?

 

 

Is there any third party tool for this?

6 REPLIES
Nighwish
Frequent Advisor

Re: How to track who has done what and when in Linux

Hi

 

 

You can see login through the command "last".

 

To see what user do, you can configure "history" command in the profile of the user:

 

 

set history=200
set savehist=200

 

Regards

Alzhy
Honored Contributor

Re: How to track who has done what and when in Linux

 

Suggestions:

 

CFENGINE 3  (www.cfengine.org or its Nova Commercial Release)

Install AIDE (Advanced Intrusion Detection Engine? - very similar to  Tripwire )

Install Tripwire (open source or commercial)

 

My primary recommendation would be CFENGINE though as it is IMHo the most advanced, most widely tested and uniqe System Administration / Control Freakery tool that if you master it fully and innovate around it -- could make you a SysAdmin God.

 

;^)

Hakuna Matata.
Matti_Kurkela
Honored Contributor

Re: How to track who has done what and when in Linux

AIDE and Tripwire are tools for verifying "have these files changed or not?".

CFEngine is a large-scale verification and automation system.

 

But if you simply want to monitor one user in one system, CFEngine would be a massive overkill and AIDE and Tripwire might not be quite fit to the requirements.

 

What you need is the audit subsystem of the Linux kernel. It is included in RHEL, probably SLES too.

 

You can find some documentation of it here:

http://people.redhat.com/sgrubb/audit/

 

The audit subsystem can log user actions at the system call level: if you want, it will log the start-up of any process, and opening of any file by the user. However, you're likely to see more output than you want: you will see that even starting up a simple command like "ls" requires opening multiple files, like system libraries, /etc/timezone, and localization files.

MK
Alzhy
Honored Contributor

Re: How to track who has done what and when in Linux

I disagree Matti.

 

Companies large and small actually lean more towards CFENGINE these days -- ditto with Tripwire as it offers a consistent tool accross all flavours of Linux and UNIX (heck even Windows).

 

 

Hakuna Matata.
rmueller58
Valued Contributor

Re: How to track who has done what and when in Linux

add the following command to user profiles

 

before hand:

mkdir /var/log/useractivity

chmod 755 /var/log/useractivity

touch /var/log/useractivity/user.log ## EQUALS LINUX USER 

 

in .bash_profile

 

script  -a /var/log/useractivity/$user.log

clear

 

 

ManojK_1
Valued Contributor

Re: How to track who has done what and when in Linux

Hi,

 

It is possible to track who has done what and when in Linux with the help of bash shell.

 

I have done it in my datacenter for all HP Unix and Linux Servers. Each and every keystroke (command executed) will capture in syslog and the syslog is configured with SIEM so that the same syslog will update in a remote system.

 

Manoj K

 

 

 

 

Thanks and Regards,
Manoj K