HPE Community
Operating System - HP-UX
1834007 Members
1967 Online
110063 Solutions
New Discussion

Re: How to trace who/what ran a script?

 
SOLVED
Go to solution
Olga_1
Regular Advisor

‎06-14-2005 03:12 AM

‎06-14-2005 03:12 AM

How to trace who/what ran a script?

I have HP 11.00 box.
I need to find out who/what started a script from /usr/local/bin.
From syslog I can see the following:

Jun 12 09:49:13 my_box su: + 2 root-oracle
Jun 12 10:50:24 my_box su: + 2 root-oracle
Jun 12 11:10:20 my_box su: + 2 root-oracle
Jun 12 11:15:05 my_box su: + 2 root-oracle
Jun 12 11:23:10 my_box above message repeats 2 times
Jun 12 11:27:26 my_box diagmond[1573]: Exit due to user requested abort
Jun 12 11:28:33 my_box DB_NAME-repserv.sh-23797[1289]: Start of repserv.sh-23797 run
.
Jun 12 11:28:34 oms063 DB_NAME-repserv.sh-23797[1311]: End of repserv.sh-23797 run.
Exit return value is 0
Jun 12 11:28:35 my_box syslogd: going down on signal 15

System was rebooted at 11:28 by SysAdmin, but he did not start the script.

history, /etc/rc.log or shtdownlog do not show anything.

Appreciate your help,
Olga
0 Kudos
Reply
8 REPLIES 8
Juan M Leon
Trusted Contributor

‎06-14-2005 03:25 AM

‎06-14-2005 03:25 AM

Re: How to trace who/what ran a script?

Does your script outputs to a log file?.
if you dont have a log-file I will suggest to create a log-file for future reference.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎06-14-2005 03:29 AM

‎06-14-2005 03:29 AM

Solution

Re: How to trace who/what ran a script?

What about cron or at jobs? Check /var/adm/cron/log for any information from that time.

It sounds like you have checked the usual suspects.
Reply
Olga_1
Regular Advisor

‎06-14-2005 03:45 AM

‎06-14-2005 03:45 AM

Re: How to trace who/what ran a script?

Script does have a log, but it only indicates what was done and Exit code. The script was succesfull but it was not suppose to run.

Cron log shows last entry at 11:25, and it is not the script

Any other ideas?

Thank you.
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎06-14-2005 04:07 AM

‎06-14-2005 04:07 AM

Re: How to trace who/what ran a script?

run a "last | more" command and see who was logged in interactively at the time of script execution.
________________________________
UNIX because I majored in cryptology...
Reply
Rick Garland
Honored Contributor

‎06-14-2005 04:23 AM

‎06-14-2005 04:23 AM

Re: How to trace who/what ran a script?

If you allow direct logins as root, you will need to correlate the time stamp. Who was logged in as root during this time.

If you prevent direct root logins, you can have more logging as to who became root to do the execution.

If many people have root, take it away from as many as you can
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎06-14-2005 07:17 PM

‎06-14-2005 07:17 PM

Re: How to trace who/what ran a script?

Are you running process accounting? If so you can examine your user's connect time logs, and a list of the commands they have run.

The other option is if they ssh'd in there maybe some records in your syslog.
0 Kudos
Reply
Eknath
Trusted Contributor

‎06-14-2005 10:40 PM

‎06-14-2005 10:40 PM

Re: How to trace who/what ran a script?

HI Olga,

I was just thinking if .sh_history file can help. But you need to search through the possible users who can log in. Because it would be difficult if you have many users. Also check if you have auditing enabled.

Cheers !!!
eknath
0 Kudos
Reply
Olga_1
Regular Advisor

‎06-15-2005 05:29 AM

‎06-15-2005 05:29 AM

Re: How to trace who/what ran a script?

In case you would like to know what happend:

dba ran this script with nohup few months ago, then interrupted it, I guess with Ctrl+C. It was STOPPED and recent reboot triggerred it ....
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.