Operating System - HP-UX
1823920 Members
3225 Online
109667 Solutions
New Discussion юеВ

Re: how to trace command issued by unix account

 
SOLVED
Go to solution
Eric  Unix
Frequent Advisor

how to trace command issued by unix account

Hello All

Our hp server is 11i, and for security issues, are there any method to trace any command issued by unix account . Thanks a lot.

Best Regards
Eric
Look forward
10 REPLIES 10
Steven E. Protter
Exalted Contributor
Solution

Re: how to trace command issued by unix account

Shalom Eric,

First you configure the unix user account .profile or /etc/profile to set up a HISTFILE variable.

Then the commands typed are tracked.

From there you can take other avenues of investigation, depending on what you find.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Tim Nelson
Honored Contributor

Re: how to trace command issued by unix account

Or

Turn on system accounting for the user(s).

either use SAM or read the Admin guide @ docs.hp.com

Eric  Unix
Frequent Advisor

Re: how to trace command issued by unix account

Hello Steven

Thank you very much.
1.If i set up the variable in /etc/profile, does all new created user will be effected ?

2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

3. this file seems can be modified, does there are any mechod to let it to be readonly ?

Appreciatively

Best Regards
Eric


Look forward
Johnson Punniyalingam
Honored Contributor

Re: how to trace command issued by unix account

1.If i set up the variable in /etc/profile, does all new created user will be effected ?

Yes , will effect if you configure

under /etc/profile

.profile --> refer to indivual user_account profile

/etc/profile --> refer to common profile for all User accounts in the System



2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

Yes you can

Acutally NO size_limit

see below example

export HISTFILE=$HOME/.sh_history
HISTSIZE=1000


3. this file seems can be modified, does there are any mechod to let it to be readonly ?

by default its "read-only" file , but only root user can edit,

ll /etc/profile
-r--r--r-- 1 bin bin 2729 Aug 30 2007 /etc/profile

-r--r--r-- 1 ibmadm1 ibmsupt 457 Aug 25 2001 .profile


hope have answered your Question ..:)

Thanks,
Johnson
Problems are common to all, but attitude makes the difference
Dennis Handly
Acclaimed Contributor

Re: how to trace command issued by unix account

>1. If I set up the variable in /etc/profile, does all new created user will be effected?

Yes, all users using a real shell.

>2. any size limit on this file .sh_history?

None documented. But I find after either 32K or 64K commands, the files become corrupted. (That's using one file for several machines.)

>3. this file seems can be modified, is there any method to let it to be readonly?

Well, if you can't write to $HISTFILE, you can't save your history.
You can make the variable readonly: readonly HISTFILE
Patrick Wallek
Honored Contributor

Re: how to trace command issued by unix account

The problem with using shell history as an auditing tool is that you can NOT tell WHEN a command was run. There is NOT date/time stamp for commands in the HISTFILE.

Shell history was not really designed with auditing in mind.
V. Nyga
Honored Contributor

Re: how to trace command issued by unix account

... and with the given example:

2. does there any size limit on this file .sh_history ? if yes, can i setup let it unlimited size ?

Yes you can

Acutally NO size_limit

see below example

export HISTFILE=$HOME/.sh_history
HISTSIZE=1000

.. you'll have a limit of 1000 commands stored!
Maybe you'll need a script then to copy the contents to another (text-)file.

Volkmar
*** Say 'Thanks' with Kudos ***
Dennis Handly
Acclaimed Contributor

Re: how to trace command issued by unix account

>Volkmar: you'll have a limit of 1000 commands stored! Maybe you'll need a script then to copy the contents to another (text-)file.

Actually you have many more than 1000 commands in the file but history will only provide 1000. (Perhaps this is why the file gets corrupted?)

If I can't find the command in the history, I grep $HISTFILE to find it. Note it is a "binary" file.
Eric  Unix
Frequent Advisor

Re: how to trace command issued by unix account

Hello All

Thanks for your kind input. :-)
One another question :
the file .sh_history seems can be modified by userself right ? have any method to let user cannot modify it ? because if user can modify it, then this file .sh_history seems lose the audit function ...

Best Regards
Eric
Look forward
Patrick Wallek
Honored Contributor

Re: how to trace command issued by unix account

Think about it this way.....

If the user is not allowed to modify the .sh_history file, then how will the history be kept?

The user HAS to have write ability to the file in order for the commands they run to be written to it.

>>then this file .sh_history seems lose the audit function ...

As I said above, the shell history was NOT designed to function as an audit tool. It was designed to provide users the ability to recall commands so they don't have to type the same thing over and over.

You are trying to use the shell history for something other than its true purpose. While it can be used for rudimentary auditing, it really is a poor choice.