HPE Community
Operating System - HP-UX
1830868 Members
1808 Online
110017 Solutions
New Discussion

Checking user login

 
Kenneth Yap
Frequent Advisor

‎06-27-2001 06:20 PM

‎06-27-2001 06:20 PM

Checking user login

Dear Expert,
How to check, who user telnet in, rlogin to the server and what are the user doing...?
So that, all the information will login to a log file.
Anything happend to the server, we can check back the log file that known who is causing the problems...
Because every time 2or3 users login using root to login.....Can we check who is using the root to login..?

Regards,

Kenneth
0 Kudos
Reply
11 REPLIES 11
Animesh Chakraborty
Honored Contributor

‎06-27-2001 06:58 PM

‎06-27-2001 06:58 PM

Re: Checking user login

Hi Yap,
Beside monitoring /var/adm/syslog/syslog.log,
and /var/adm/sulog,you can use 'last' command to track all the users.Other commands you can use 'whodo',who -u,
Even you can restrict use of super user using a script.
Hope this will help
Thanks
Animesh
Did you take a backup?
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-27-2001 07:59 PM

‎06-27-2001 07:59 PM

Re: Checking user login

Kenneth,

Check the following files:
/var/adm/syslog/syslog.log
/var/adm/sulog

The last command will reveal the direct
login of users, but not who they are if
they login as root.

Suggest you change the root password
if you can't identify the people who have
access, also look at installing a well
proven product called 'sudo' which is free
off the following link.

http://www.courtesan.com/sudo

Good luck
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎06-27-2001 11:24 PM

‎06-27-2001 11:24 PM

Re: Checking user login


HP has a product called IDS/9000 (you can download it for free frpm software.hp.com)

This Intrusion detection system lets you monitor logins as well as removal of files and lot's of other things.

Perhaps you should give it a try .

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Ravi_8
Honored Contributor

‎06-27-2001 11:44 PM

‎06-27-2001 11:44 PM

Re: Checking user login

Hi,
'last' command gives you who are all logged in. to know who are all presently loggedin and what they are doing use command'w'(just w).
To make out who shutdown the system look into /etc/shutdownlog file.
never give up
0 Kudos
Reply
federico_3
Honored Contributor

‎06-28-2001 12:05 AM

‎06-28-2001 12:05 AM

Re: Checking user login


Also finger can help you.
0 Kudos
Reply
Herve BRANGIER
Respected Contributor

‎06-28-2001 12:42 AM

‎06-28-2001 12:42 AM

Re: Checking user login

Hi

If you want to audit users (and some others
things) you can transform your system to a
trusted system.

You can find information in you docs...

In sam :
Auditing and security -> Audited users (accept
to go in Trusted mode)
-> audit users
Choose a user and start audit. By reading log
file (in action menu) you can see differents
actions (login, ...).

Remember that TS is a big modification in your
systeme... But you can go back (see in sam :
unconvert option, or /usr/lbin/tsconvert -r)


HTH

Herve
0 Kudos
Reply
John Sisak
Advisor

‎06-28-2001 12:17 PM

‎06-28-2001 12:17 PM

Re: Checking user login

This is a policy suggestion as well as a technical suggestion:
1. I agree with Michael. Restrict the knowledge of the root password to the Unix administrator and his or her backup.
2. Make separate ids which have uid=0 for everyone (including yourself) who needs root authority (not necessarily everyone who WANTS it.)
An easy way to do this is to form the id by adding a zero at the end of their non-root ids (e.g. joe smith has an id, jsmith, with uid=201, and a "root" id, jsmith0, with uid=0.) This way, each user has a separate home directory and shell history file.

Many users think that having root authority will make their lives easier but it can also be a huge liability (like if the user is not careful and executes rm -rf * while in /.)
0 Kudos
Reply
Wilmar Ricio
Occasional Advisor

‎06-28-2001 01:56 PM

‎06-28-2001 01:56 PM

Re: Checking user login

Hi Yap,

What happened to you happens to me before.

Aside from whats mentioned above monitoring syslog, sulog and last command. Try capturing the .sh_history file of root or user which you suspect is creating your problem. It will show you the commands they entered.

.sh_history should be added to roots .profile or users .profile

HISTFILE=/.sh_history ; export HISTFILE
HISTSIZE=128

The last command will also show you the ip address or hostname where the other roots are logging in.
0 Kudos
Reply
Wilmar Ricio
Occasional Advisor

‎06-28-2001 02:05 PM

‎06-28-2001 02:05 PM

Re: Checking user login

One more thing I forgot,

As soon as you pinpointed the culprit and located his ip address, you can go to a WinNT dos prompt and run,
nbtstat -A ip_adress
will show you the users users_name & pc_name.

Hope this will help.
0 Kudos
Reply
Jason Morgan_1
Advisor

‎06-28-2001 02:47 PM

‎06-28-2001 02:47 PM

Re: Checking user login

Two things...first thing first.

Restrict who knows the root password by changing it. And as a security measure. Place a file called "securetty" in /etc. This file contains nothing and the importance of this file is of its existence. Run `chmod 600 /etc/securetty` as well to make it rw to owner only. Make sure Root is the owner. This will disallow root from being able to telnet into the machine. This forces your users to log into your machines themselves and su to root. The syslog should keep track of su's as well as their personal and root's .sh_history files that keeps track of all commands run.

Second like ravi said run the command `w` to find who's doing what. How often you want this checked is a different matter. You can easily set a script up that run out of cron however often you want and writes the output of the `w` command into a log for a fairly good record of what is going on.
Never Underestimate the Power of Human Stupidity -RAH
0 Kudos
Reply
Jared Westgate_1
Valued Contributor

‎06-29-2001 07:46 AM

‎06-29-2001 07:46 AM

Re: Checking user login

Hello Kenneth,

Have you considered using system accounting? If you have system accounting turned on, you can issue the command: acctcom -u username. This will show all the processes that have been executed for a given user.

There are also many other useful reports that you can run with system accounting. I don't know if this gives as much detail as you may be wanting, but I have found it very useful. Other reports show the system resource usage, by user. There is a report to show when and how long each user was logged in, a report to show a list of all commands that were run on the system. As well as a few other nice things.

I don't really know the impact on the system, as I am still evaluating it on our developement system. But, from other posts I've made on the subject, it should be minimal.

Good Luck,

Jared
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.