Re: how to trace command issued by unix account

Eric Unix · ‎09-03-2008

Hello All

Our hp server is 11i, and for security issues, are there any method to trace any command issued by unix account . Thanks a lot.

Best Regards
Eric

Look forward

Steven E. Protter · ‎09-03-2008

Shalom Eric,

First you configure the unix user account .profile or /etc/profile to set up a HISTFILE variable.

Then the commands typed are tracked.

From there you can take other avenues of investigation, depending on what you find.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Tim Nelson · ‎09-03-2008

Or

Turn on system accounting for the user(s).

either use SAM or read the Admin guide @ docs.hp.com

Eric Unix · ‎11-13-2008

Hello Steven

Thank you very much.
1.If i set up the variable in /etc/profile, does all new created user will be effected ?

2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

3. this file seems can be modified, does there are any mechod to let it to be readonly ?

Appreciatively

Best Regards
Eric

Look forward

Johnson Punniyalingam · ‎11-13-2008

1.If i set up the variable in /etc/profile, does all new created user will be effected ?

Yes , will effect if you configure

under /etc/profile

.profile --> refer to indivual user_account profile

/etc/profile --> refer to common profile for all User accounts in the System

2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

Yes you can

Acutally NO size_limit

see below example

export HISTFILE=$HOME/.sh_history
HISTSIZE=1000

3. this file seems can be modified, does there are any mechod to let it to be readonly ?

by default its "read-only" file , but only root user can edit,

ll /etc/profile
-r--r--r-- 1 bin bin 2729 Aug 30 2007 /etc/profile

-r--r--r-- 1 ibmadm1 ibmsupt 457 Aug 25 2001 .profile

hope have answered your Question ..:)

Thanks,
Johnson

Problems are common to all, but attitude makes the difference

Dennis Handly · ‎11-13-2008

>1. If I set up the variable in /etc/profile, does all new created user will be effected?

Yes, all users using a real shell.

>2. any size limit on this file .sh_history?

None documented. But I find after either 32K or 64K commands, the files become corrupted. (That's using one file for several machines.)

>3. this file seems can be modified, is there any method to let it to be readonly?

Well, if you can't write to $HISTFILE, you can't save your history.
You can make the variable readonly: readonly HISTFILE

Patrick Wallek · ‎11-13-2008

The problem with using shell history as an auditing tool is that you can NOT tell WHEN a command was run. There is NOT date/time stamp for commands in the HISTFILE.

Shell history was not really designed with auditing in mind.

V. Nyga · ‎11-13-2008

... and with the given example:

2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

Yes you can

Acutally NO size_limit

see below example

export HISTFILE=$HOME/.sh_history
HISTSIZE=1000

.. you'll have a limit of 1000 commands stored!
Maybe you'll need a script then to copy the contents to another (text-)file.

Volkmar

*** Say 'Thanks' with Kudos ***

Dennis Handly · ‎11-13-2008

>Volkmar: you'll have a limit of 1000 commands stored! Maybe you'll need a script then to copy the contents to another (text-)file.

Actually you have many more than 1000 commands in the file but history will only provide 1000. (Perhaps this is why the file gets corrupted?)

If I can't find the command in the history, I grep $HISTFILE to find it. Note it is a "binary" file.

Eric Unix · ‎11-14-2008

Hello All

Thanks for your kind input. :-)
One another question :
the file .sh_history seems can be modified by userself right ? have any method to let user cannot modify it ? because if user can modify it, then this file .sh_history seems lose the audit function ...

Best Regards
Eric

Look forward

Patrick Wallek · ‎11-14-2008

Think about it this way.....

If the user is not allowed to modify the .sh_history file, then how will the history be kept?

The user HAS to have write ability to the file in order for the commands they run to be written to it.

>>then this file .sh_history seems lose the audit function ...

As I said above, the shell history was NOT designed to function as an audit tool. It was designed to provide users the ability to recall commands so they don't have to type the same thing over and over.

You are trying to use the shell history for something other than its true purpose. While it can be used for rudimentary auditing, it really is a poor choice.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: how to trace command issued by unix account

how to trace command issued by unix account