HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Ideas on auditing/monitoring users
Operating System - HP-UX
1832374
Members
3094
Online
110041
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2003 11:27 AM
08-30-2003 11:27 AM
Ideas on auditing/monitoring users
No wonder I was not getting any responses. Originally, I had posted this in the wrong area (databases). I wish there was an easier way to change the posting when we make a mistake.
I need to find out if someone can help me regarding how to monitor/audit user input.
Basically, I would like to stay away from turning auditing on, unless someone can help me with the specific events I should be turning on for the specific purpose of monitoring user commands and creation, modification, or deletion of files. Specifically I would like to capture:
- user login
- user log out
- user commands
- user addition/deletion/change of files
I was advised to use "script", however the downfall here is that there is no time-stamp, and I am also interested on time stamps. Furtheremore, we end up with those bogus end or line CR characters recorded while using script and also the comment that Pete Randall presented regarding adding script to /etc/profile.
Here are some other threads I started regarding this subject:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x5ad989dc1dbf1240bef5d48e6b7234d8,00.html
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x416c613d9417d84780f71cb480c47f06,00.html
Any scripts out there, ideas, tools that are not extremely expensive?
Thanks for your comments.
I need to find out if someone can help me regarding how to monitor/audit user input.
Basically, I would like to stay away from turning auditing on, unless someone can help me with the specific events I should be turning on for the specific purpose of monitoring user commands and creation, modification, or deletion of files. Specifically I would like to capture:
- user login
- user log out
- user commands
- user addition/deletion/change of files
I was advised to use "script", however the downfall here is that there is no time-stamp, and I am also interested on time stamps. Furtheremore, we end up with those bogus end or line CR characters recorded while using script and also the comment that Pete Randall presented regarding adding script to /etc/profile.
Here are some other threads I started regarding this subject:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x5ad989dc1dbf1240bef5d48e6b7234d8,00.html
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x416c613d9417d84780f71cb480c47f06,00.html
Any scripts out there, ideas, tools that are not extremely expensive?
Thanks for your comments.
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2003 02:44 PM
08-30-2003 02:44 PM
Re: Ideas on auditing/monitoring users
Hi,
One way I can think of is to set the HISTFILE to readonly in the system-wide profile and put the HISTFILE in a specific non-obvious location.
For user addition/deletion/change of files,
the most straightforward way is to rely on HISTFILE again to record any add/delete/change commands used. This is not foolproof. Ultimately, you still need to monitor the respective filesystem calls to be truly exhaustive.
At its simplier form off-my-head (require testing), the system login script can go something like this, using an unused logging facility:
export HISTFILE=/var/history/.$LOGNAME
readonly HISTFILE
logger -t $LOGNAME -p mail.crit "$LOGNAME logged in"
tail -1f /var/history/.$LOGNAME | logger -t $LOGNAME -p mail.crit &
while sleep 60;if last $LOGNAME | head -1 | grep "still logged in" >/dev/null 2>&1;then :;else logger -t $LOGNAME -p mail.crit "$LOGNAME logged out";exit;fi;done &
logger would give you the timestamps of every command typed. For each user login, his login is tracked along, the commands he executed is tracked including CLI add/delete/change commands, and finally, his logout.
Hope this helps. Regards.
Steven Sim Kok Leong
One way I can think of is to set the HISTFILE to readonly in the system-wide profile and put the HISTFILE in a specific non-obvious location.
For user addition/deletion/change of files,
the most straightforward way is to rely on HISTFILE again to record any add/delete/change commands used. This is not foolproof. Ultimately, you still need to monitor the respective filesystem calls to be truly exhaustive.
At its simplier form off-my-head (require testing), the system login script can go something like this, using an unused logging facility:
export HISTFILE=/var/history/.$LOGNAME
readonly HISTFILE
logger -t $LOGNAME -p mail.crit "$LOGNAME logged in"
tail -1f /var/history/.$LOGNAME | logger -t $LOGNAME -p mail.crit &
while sleep 60;if last $LOGNAME | head -1 | grep "still logged in" >/dev/null 2>&1;then :;else logger -t $LOGNAME -p mail.crit "$LOGNAME logged out";exit;fi;done &
logger would give you the timestamps of every command typed. For each user login, his login is tracked along, the commands he executed is tracked including CLI add/delete/change commands, and finally, his logout.
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2003 09:19 AM
08-31-2003 09:19 AM
Re: Ideas on auditing/monitoring users
Hi,
Don't forget that user monitoring can have legal consequences. You may have to inform your users that you are monitoring them and that sensitive data maybe recorded.
There are some flight-recorders under development by various commercial organisations, however I not seen anything useable as yet.
One on the simplest FREE ways to keep tabs on what users are doing, is to install process-accounting.
Good luck,
Andrew
Don't forget that user monitoring can have legal consequences. You may have to inform your users that you are monitoring them and that sensitive data maybe recorded.
There are some flight-recorders under development by various commercial organisations, however I not seen anything useable as yet.
One on the simplest FREE ways to keep tabs on what users are doing, is to install process-accounting.
Good luck,
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2003 09:33 AM
08-31-2003 09:33 AM
Re: Ideas on auditing/monitoring users
The HISTFILE is one way to monitor command line keystrokes, if your users get the command line. 95% of my users don't get the command line.
There are good audting featues built into trusted systems as well.
To go trusted, you can either Install and run Bastille, which will do it for you as part of a yes/no question in X-windows.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
You can also do it from Sam
sam
auditing and security
system security policies
SEP
There are good audting featues built into trusted systems as well.
To go trusted, you can either Install and run Bastille, which will do it for you as part of a yes/no question in X-windows.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
You can also do it from Sam
sam
auditing and security
system security policies
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2003 01:23 AM
09-01-2003 01:23 AM
Re: Ideas on auditing/monitoring users
I've found a specific tool very handy for monitoring the users' activity: ttyrec.
Ttyrec records the timing of the user session so you could, with few modification, add a time stamp to every command the user type.
It's also great for recording menu-based sessions (much better than script).
You can find ttyrec at http://freshmeat.net/redir/ttyrec/10793/url_homepage/ttyrec.
Good luck,
Virgil.
Ttyrec records the timing of the user session so you could, with few modification, add a time stamp to every command the user type.
It's also great for recording menu-based sessions (much better than script).
You can find ttyrec at http://freshmeat.net/redir/ttyrec/10793/url_homepage/ttyrec.
Good luck,
Virgil.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP