Re: procedures for or software to log system events

Mark Stewart · ‎01-07-2003

I was wondering if anyone might be able to tell me a good way to implement a system of logging information about when users log in and out of the system, and less importantly, what commands they execute and when.

This could be either taking advantage of a built in feature of HP-UX or by purchasing an outside piece of software to handle it(this is probably the easier option, I would expect).

Any reccomendations or help anyone could provide on this would be greatly appreciated. Thanks!

harry d brown jr · ‎01-07-2003

You can turn on process accounting - something I have never done.

I believe that all users should be kept out of shell prompts. There is no valid reason for a user to be at one, unless of course your user is a developer.

live free or die
harry

Live Free or Die

Wilfred Chau_1 · ‎01-07-2003

You will have to turn on accounting. Then you will be able to use lastcomm to see who ran which and at what time.

Michael Tully · ‎01-07-2003

Turning on system accounting will use system resources and disk space. Unless you are prepared for the overhead my advice is don't use it. I agree with Harry on shell user restriction, but sometimes it is unavoidable. Here is a white paper on system accounting that is worth reading.

http://www.hmdc.harvard.edu/micah_altman/unix/sysacct.pdf

Anyone for a Mutiny ?

Paul Sperry · ‎01-07-2003

If your system is a trusted system you can
turn on Auditing and security via SAM

Mark Stewart · ‎01-22-2003

It was mentioned that turning on the Auditing and Security features would use system resources. The small LAN I administrate only has about 5-6 users, with only 3-4(at most) on at one time. Would this still be a serious drain on system resources, or would it be negligible?

Also, if it would hoard resources too badly, is there any 3rd party software anyone can reccomend to do this?

MANOJ SRIVASTAVA · ‎01-22-2003

Mark

The easiest way is to check the logins , disable the direct logins the users can do su to rot or the oracle to get their work done , this way you can check for su log and atleast know who looged in from where and for how long.

In order to get a comprehensive report for the users you can also turn on the porcess accounting provided you ahve enough space in the root . do a man acccton , this is the file under /usr/sbin/acct ,

The process acoounting can be turned on by /usr/bin/acct/turnacct (on/off) , this will store the log under /var/adm/pacct and can be viewed using acctcom

Manoj Srivastava

Ed Mitchell_1 · ‎01-22-2003

Take a look at PowerBroker. It's an excellent product, but not free. You can download a 30 eval copy at:

http://www.symark.com/powerbroker.htm

if it ain't broke, don't patch it.

Bill Hassell · ‎01-22-2003

A Trusted System consumes no resources. Using the auditing feature will use CPU time that is totally dependent on how much you want to audit. It has zero effect on the LAN but can use hundreds of megs of disk space depending on what you want to audit.

It sounds like users are making mistakes and the system is not setup for good security procedures (permission problems, duplicate root users, etc). Every POSIX (and ksh) shell command can be logged to the file: $HOME/.sh_history by adding this to the end of /etc/profile:

export HISTFILE=$HOME/.sh_history
export HISTSIZE=500
export EDITOR=vi

You can see the login history with the commands: last and lastb. These two commands look at the login history files. Couple that with the contents of each user's .sh_history, you should have a good record of activity.

As mentioned, untrained or inexperienced users should NOT be given a shell prompt but instead, write a menu program to limit the user choices (and therefore potential damage).

Bill Hassell, sysadmin

Scott Van Kalken · ‎01-22-2003

depending on the shell you use you may also find that a .logout is useful. I think from memory (but don't quote me) that csh has this. I know that csh is evil compared to posixish shells, but it may be anbother option.

I think that the history file is also a good option.

I have also changed the permissions of su on my systems and provided sudo for people. It's more work initially to set up, but is a better option due to auditing and granularity of control.

You may also want to look at putting something into /etc/profile like:

if [ $LOGNAME = "oracle" ] ; then
IP=`who -mR| awk '{FS="(";print $2}'|awk '{FS=")";print $1}'`
DTE=`date`
echo $DTE $IP >> /var/adm/oracle-logins.log
fi

This way it checks everyone, you get the IP address and can do what we do here which is restrict these logins to specific ip ranges or addresses.

The good thing about the log file is that you can see who is using these accounts before actually making any changes.

Hope this helps.

Scott.

Mark Stewart · ‎02-26-2003

Well, I went forward with turning on the auditing features built into SAM, but it has led me to a new question. A separate, non-root, user needs to be able to check the contents of the logs. It appears that you have to login to SAM in order to check these logs. Is there any other way that I could allow this person to see the logs without giving them root access? Thanks!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: procedures for or software to log system events

procedures for or software to log system events