Operating System - HP-UX
1839187 Members
5309 Online
110137 Solutions
New Discussion

How to log all the users activity including root

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

How to log all the users activity including root

Hi

I want to log all the users activity.

That is i want to view what are the users has executed what commands.

is it possibel?
10 REPLIES 10
Bill Hassell
Honored Contributor

Re: How to log all the users activity including root

Make sure the two lines:

export HISTFILE=$HOME/.sh_history
export HISTLINES=5000

are in your /etc/profile. This assumes that no one uses scummy csh or tcsh as a shell. There will be a file: .sh_history in each user's directory. You may have to create the root user's history one time. As root:

touch .sh_history

Be sure to make secure copies of all of these files. They must be writable by the users in order to log the commands but that means some users may erase the contents once in a while.


Bill Hassell, sysadmin
Avinash20
Honored Contributor

Re: How to log all the users activity including root

Via history file we would be able to see the command run by each users, but wont be able to get the timestamp at which the commands were run

You could either write a script to get the timestamp or enable auditing .

The auditing could be enabled by converting the system into trusted(/usr/lbin/tsconvert) or in Standard mode via installing

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

http://www.docs.hp.com/en/5991-1101/ch08s08.html
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Emil Velez
Honored Contributor

Re: How to log all the users activity including root

HPUX 11.23 has a new auditing feature that does not require conversion to trusted system. You can choose what users to audit and what system calls or functions to audit or all.

It is somewhat cryptic till you get use to the audit records but it is truely everything that user and their processes did.
Suraj K Sankari
Honored Contributor

Re: How to log all the users activity including root

Hi,

By enabling "auditing" you can track all the users activity.

Suraj
Steven E. Protter
Exalted Contributor

Re: How to log all the users activity including root

Shalom,

Built in feature.

Note, you can not locate these logs on NFS. If you do the user profile won't load.

Note also the users can by nature alter these files.

So if you don't trust a user, you will need to script a way to copy the files off once in a while and archive them.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
senthil_kumar_1
Super Advisor

Re: How to log all the users activity including root

Hi

In my environment following HP-UX servers are available.

HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11.

So How to enable audit in above servers.

Mel Burslan
Honored Contributor
Solution

Re: How to log all the users activity including root

When it comes to auditing, be very careful. You audit too much details, your disk space will be chewed up real fast. Unfortunately, auditing is not real user friendly. So, unless you have some experience with it, I'd suggest you contact HP for technical support if you have a support agreement to set it up righ from the beginning instead of trying to dig yourself out of a hole, days or weeks later.
________________________________
UNIX because I majored in cryptology...
Rita C Workman
Honored Contributor

Re: How to log all the users activity including root

You might consider a third party software for doing this. And avoid logging everyone all the time as, like Mel says, it just takes up alot of filespace - and who reads it.
Adhoc monitoring allows you to pick and choose and keep a handle on the space used.
We use PowerBroker. It's not expensive, monitors;logs;can distribute controlled root privileges and more.

Just a thought,
Rita
Emil Velez
Honored Contributor

Re: How to log all the users activity including root

TOo bad you are still using 11.20 11.00 and 11.11

In order to enable auditing on those systems you need to be in trusted mode.

1. Convert the system to trusted mode (in sam)
2. Sam -> auditing

then you specify what users or system calls or functions you want to audit.

It might be under routine tasks.

Suggest you check this on a test system. Converting to trusted mode is not a trivial thing to do and may cause apps that read /etc/passwd directly to break.

Suraj K Sankari
Honored Contributor

Re: How to log all the users activity including root

Hi,

From command prompt you can enable the auditing but the best option is from SAM

Suraj