HPE Community
Operating System - HP-UX
1835177 Members
2253 Online
110077 Solutions
New Discussion

Re: Auditing and Monitor user activities

 
SOLVED
Go to solution
ManojK_1
Valued Contributor

‎01-18-2010 09:07 PM

‎01-18-2010 09:07 PM

Auditing and Monitor user activities

Hi,

I want to monitor and record destructive commands (like rm,rmdir,mkdir,touch etc...)
run by users in HP Unix 11.31.

When the command is run, which user, in which directory etc...

There are any default utilities available for HP Unix or we have to use third party software for this?
Thanks and Regards,
Manoj K
0 Kudos
13 REPLIES 13
Jupinder Bedi
Respected Contributor

‎01-18-2010 09:50 PM

‎01-18-2010 09:50 PM

Re: Auditing and Monitor user activities

you can you sudo for monitoring the all these commands . you can check sudo.log for more details.

All things excellent are as difficult as they are rare
0 Kudos
Johnson Punniyalingam
Honored Contributor

‎01-18-2010 10:49 PM

‎01-18-2010 10:49 PM

Re: Auditing and Monitor user activities

There are any default utilities available for HP Unix ?

Yes, You can


"Turn on Auditing" , you trap them
But you need turn-on many Audit Parameters while enabling "Auditing" this require enough space on the "vg00" to temporarily record them you can write script to move those "audit files" to /archive/auditlogs file system which you can create apart from "vg00"
Problems are common to all, but attitude makes the difference
0 Kudos
ManojK_1
Valued Contributor

‎01-19-2010 09:55 PM

‎01-19-2010 09:55 PM

Re: Auditing and Monitor user activities

Hi,

Thanks for the information.
Let me explain the exact requirement.

In our environment there are so many developers for one application.

Application is using it's on user id.we have created separate user id for each developer.

We have given sudo permission for deveopment users to login as application user.

sudo su - .

So multiple developers login to the application together for there own work and in sudo log we are having the tarck who is logined as the Application users.

After login to the application user, we wanted to get a track what commands each of the developer is running?

In audit log i am not able to track this.

Manoj K

I have enabled the auditing.
Thanks and Regards,
Manoj K
0 Kudos
TARUN SHARMA_1
Advisor

‎01-19-2010 11:02 PM

‎01-19-2010 11:02 PM

Re: Auditing and Monitor user activities

I think you have to do a workaround here, you can check with last/lastb commands the tty no of the user logged in and then after su to application user it will be using the same tty so in this way you can differntiate the users out of application user.
Sr Tech Lead
Tech Mahindra
Data Canter Tubli Bahrain
0 Kudos
Viktor Balogh
Honored Contributor

‎01-20-2010 06:09 AM

‎01-20-2010 06:09 AM

Re: Auditing and Monitor user activities

Hi ManojK,

So you are using sudo, it's great to hear.
You need to accomplish that the files of the appuser can only be deleted by the appuser himself. (write and execute permissions)

After that, grant acces with sudo only to 'rootsh -u appuser'. rootsh is a restricted shell (not only for granting root access) that's entire session gets logged into rootsh.log

# ll rootsh.log
-rw------- 1 root root 5020 Jan 20 15:05 rootsh.log
#
****
Unix operates with beer.
0 Kudos
ManojK_1
Valued Contributor

‎01-24-2010 02:22 AM

‎01-24-2010 02:22 AM

Re: Auditing and Monitor user activities

Hi Victor,

From where i can get the roosh depot for HP Unix 11.31 Itanium verison.

ManojK
Thanks and Regards,
Manoj K
0 Kudos
Viktor Balogh
Honored Contributor

‎01-25-2010 02:37 AM

‎01-25-2010 02:37 AM

Re: Auditing and Monitor user activities

rootsh is an opensource product, also available for HP-UX

http://sourceforge.net/projects/rootsh/files/rootsh/

roll down the 1.5.2 version, there is a pre-compiled HP-UX depot, try that. If it doesn't work then you must start from source an compile one for yourself.

Our was from depot installed:

# swlist -l file | grep -i rootsh
# ROOTSH 1.5.2-1 a logging shell wrapper for wannabe root users
# ROOTSH.rootsh 1.5.2-1 rootsh executables
ROOTSH.rootsh: /usr/bin/rootsh
ROOTSH.rootsh: /usr/man/man1/rootsh.1

Btw, we have 11.11 systems.
****
Unix operates with beer.
0 Kudos
Aldis Black
Advisor

‎08-27-2010 02:54 AM

‎08-27-2010 02:54 AM

Re: Auditing and Monitor user activities

Hi, Is there a way to restrict the rootsh from logging the outputs of particular commands? Some admins have a bad habit of leaving glance, top etc. sessions open for several hours and it makes the logs grow really fast.
0 Kudos
Viktor Balogh
Honored Contributor

‎09-01-2010 05:05 AM

‎09-01-2010 05:05 AM

Re: Auditing and Monitor user activities

> Hi, Is there a way to restrict the rootsh from logging the outputs of particular commands?

I think rootsh can't be bypassed, everything gets logged. Write a shell script which regularly trims/archives the logs.
****
Unix operates with beer.
0 Kudos
Aldis Black
Advisor

‎09-21-2010 05:04 AM

‎09-21-2010 05:04 AM

Re: Auditing and Monitor user activities

Victor, do you happen to know how to make the history work for root session initiated via rootsh? Looks like the HISTFILE is not exported neither from user's nor root's .profile. Thanks!
0 Kudos
Viktor Balogh
Honored Contributor

‎09-21-2010 07:59 AM

‎09-21-2010 07:59 AM

Solution

Re: Auditing and Monitor user activities

from man rootsh:

-i, --initial
Make the shell a login shell

I think this is what you are looking for. ;)
****
Unix operates with beer.
0 Kudos
Aldis Black
Advisor

‎09-21-2010 11:39 PM

‎09-21-2010 11:39 PM

Re: Auditing and Monitor user activities

Works great!:) Many thanks!
0 Kudos
ManojK_1
Valued Contributor

‎09-21-2010 11:52 PM

‎09-21-2010 11:52 PM

Re: Auditing and Monitor user activities


I am very much happy to see that somebody got benefit with this.

Thanks VIKCTOR for your great support.

Manoj k
Thanks and Regards,
Manoj K
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.