HPE Community
Operating System - HP-UX
1828586 Members
2586 Online
109983 Solutions
New Discussion

Audit User login; commands executed

 
MohitAnchlia
Frequent Advisor

‎09-08-2006 12:47 PM

‎09-08-2006 12:47 PM

Audit User login; commands executed

am looking for some very good suggestions to log activity that occurs
after individual login to UNIX. Scenario:

1. Log all the commands executed by the user after user login into the
UNIX account.
2. Also, if after login user "su" to other login, log all the commands
executed in that "su" login.


What I know is that this could be done by "scripts", but, we don't want
to use scripts because:


1. User can modify the files as it's accessible by him.
2. Also, because it could be easily turned off.


Is there any other better way ? I looked at syslog, sulog etc, but none
of them gives me what I need. sulog just tells who logged in from which
IP.

UNIX being so powerful and profusion of utilities on it would have
something in store that suits my requirement.

0 Kudos
Reply
3 REPLIES 3
spex
Honored Contributor

‎09-08-2006 01:07 PM

‎09-08-2006 01:07 PM

Re: Audit User login; commands executed

Hi,

The best way to accomplish this is to convert to a trusted system. If this is not possible, make sure that $HISTFILE is set for the user, and than $HISTSIZE is a sufficiently large value.

You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea.

'script' or a similar utility (e.g. GNU Screen) would be another option, although these would incur overhead.

PCS
0 Kudos
Reply
IT_2007
Honored Contributor

‎09-08-2006 01:24 PM

‎09-08-2006 01:24 PM

Re: Audit User login; commands executed

First activity can be done when you convert your system to trusted mode. Then you can turn on auditing for the system which logs all activity. But it is not a good idea if you are not going to monitor the logs.

Install sudo package so that you can assign root privilages to users and once user sudo's to root then activity will be logged onto .sh_history.

As spex said above you can set history file to hold all activity.
0 Kudos
Reply
MohitAnchlia
Frequent Advisor

‎09-08-2006 03:09 PM

‎09-08-2006 03:09 PM

Re: Audit User login; commands executed

As suggested by "Spex", How can I do this:

"You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea."

Also what's the overhead of converting it to trusted mode ?

Could acct, acctmon etc. be used ?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.