Operating System - HP-UX
1828499 Members
2587 Online
109978 Solutions
New Discussion

Audit User login; commands executed

 
MohitAnchlia
Frequent Advisor

Audit User login; commands executed

am looking for some very good suggestions to log activity that occurs
after individual login to UNIX. Scenario:

1. Log all the commands executed by the user after user login into the
UNIX account.
2. Also, if after login user "su" to other login, log all the commands
executed in that "su" login.


What I know is that this could be done by "scripts", but, we don't want
to use scripts because:


1. User can modify the files as it's accessible by him.
2. Also, because it could be easily turned off.


Is there any other better way ? I looked at syslog, sulog etc, but none
of them gives me what I need. sulog just tells who logged in from which
IP.

UNIX being so powerful and profusion of utilities on it would have
something in store that suits my requirement.

3 REPLIES 3
spex
Honored Contributor

Re: Audit User login; commands executed

Hi,

The best way to accomplish this is to convert to a trusted system. If this is not possible, make sure that $HISTFILE is set for the user, and than $HISTSIZE is a sufficiently large value.

You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea.

'script' or a similar utility (e.g. GNU Screen) would be another option, although these would incur overhead.

PCS
IT_2007
Honored Contributor

Re: Audit User login; commands executed

First activity can be done when you convert your system to trusted mode. Then you can turn on auditing for the system which logs all activity. But it is not a good idea if you are not going to monitor the logs.

Install sudo package so that you can assign root privilages to users and once user sudo's to root then activity will be logged onto .sh_history.

As spex said above you can set history file to hold all activity.
MohitAnchlia
Frequent Advisor

Re: Audit User login; commands executed

As suggested by "Spex", How can I do this:

"You may also want to consider a 'sudo' approach to the user's history file so that he/she does not have direct write access to it. Routine archiving of ~user/$HISTFILE would also be a good idea."

Also what's the overhead of converting it to trusted mode ?

Could acct, acctmon etc. be used ?