HPE Community
Operating System - HP-UX
1834174 Members
2819 Online
110064 Solutions
New Discussion

Audit trail

 
SOLVED
Go to solution
Tom Gore
Regular Advisor

‎02-26-2004 05:40 AM

‎02-26-2004 05:40 AM

Audit trail

Is there a way to determine when/who changed a shell script? Also, is there a way to produce a listing of users who have not logged into the system within the last "nn" days. Since the introduction of the Sarbanes-Oxley Act, we are now required (by our auditors) to provide numerous "audit trail" reports. Virtually all movement through the system has to be accounted for and documented.

Thanks
0 Kudos
Reply
4 REPLIES 4
David Child_1
Honored Contributor

‎02-26-2004 05:46 AM

‎02-26-2004 05:46 AM

Re: Audit trail

If you set your system to Trusted there is a quite a bit of auditing you can do.

David
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎02-26-2004 05:48 AM

‎02-26-2004 05:48 AM

Solution

Re: Audit trail

HI

For login info here:-

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=39611

ll <scriptname> will show owner, group time and date.

Also set-up and use change control procedures.

Paula
If you can spell SysAdmin then you is one - anon
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-26-2004 05:52 AM

‎02-26-2004 05:52 AM

Re: Audit trail

Hi Tom,

Unless you turn the 'auditing' on, it's difficult to find out who changed what on the system. There are softwares like CA's eTrust Access-control, powerbroker etc., that can provide additional controls in addition|replacing the standard UNIX permissions along with excellent reporting.

If this system is trusted, you can get this information easily with getprpw command.

/usr/lbin/getprpw -m slogint

will tell you when the user logged in successfully.

To find out the users that have not logged into the system exactly within the last 'n' days, you will need to write a small script. Calculate the seconds since epoch with ' /usr/contrib/bin/perl -e "printf("%d\n",time())" ' - say A. Then in each user's tcb files /tcb/files/auth//user) you will find seconds since epoch when the user successfully logged in - say B. Calculate (A - B)/86400 and compare it against 'nn'.

Without trusted system, you will need to depend on 'last' command. It shows it in days which you will need to convert into epoch and then do the calculations. Also last may not provide 100% information as *tmp files it uses might have gotten trimmed.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Tom Gore
Regular Advisor

‎02-27-2004 01:35 AM

‎02-27-2004 01:35 AM

Re: Audit trail

Thanks to all. For whatever reason, they have chosen not to implement our system as "trusted". I like the idea of the script to monitor logins. At least I can check that off my "to do" list. The shell script thing is more of a paper trail thing. There are only three of us that even have command access to the system.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.