HPE Community
Operating System - HP-UX
1836842 Members
2350 Online
110110 Solutions
New Discussion

Re: Recording events/commands/history of particular accounts

 
MAD_2
Super Advisor

‎08-25-2003 08:18 AM

‎08-25-2003 08:18 AM

Recording events/commands/history of particular accounts

I'd like to know if some of the gurus here can share scripts, ideas, and or provide information on tools to record what a user is doing, specifically commands. However, I would like something better than what is in sh_history, since the information in there is not time stamped, and that is what I really want.

Also, how can I increase/decrease the number of entries kept in the history file?

I have been reading a lot about auditing (we do have our systems in trusted mode), however the size of the logs created is huge and the information within them many times is quite difficult to read... Plus much of it is more than what I really need, and the overhead, oh the overhead on the system.

I would prefer to set this in a place aside the .profile of each user, since it is a few of them, but not all of the accounts will be audited this way. Please share your ideas, thanks!
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
6 REPLIES 6
Pete Randall
Outstanding Contributor

‎08-25-2003 08:26 AM

‎08-25-2003 08:26 AM

Re: Recording events/commands/history of particular accounts

Adam,

First, to increase/decrease the size of the history file, use the HISTSIZE variable: "export HISTSIZE=500" will keep 500 entries.

Second, since you want timestamps, the only way go get "history" is going to be through the system's accounting functions. If you can get along with out timestamps, you might want to look at the script command. Putting something like "script /tmp/histfile.$(whoami) in their startup script (profile or whatever) will give you a complete history, both input and output, of everything they do.


Pete


Pete
0 Kudos
Reply
MAD_2
Super Advisor

‎08-25-2003 08:34 AM

‎08-25-2003 08:34 AM

Re: Recording events/commands/history of particular accounts

Thanks Pete,

Where do I set the HISTSIZE globally? For all users instead of per session?

Also, is there a place where I can place the "script" command so that it will create a record for all users logging in too? I guess I could use some sort of time stamp per time period (like add date and time to the specific histfile created), so that if they log in and out multiple times in a day at least I have an idea of the time frames when the commands took place. Also, why am I getting recorded a CR character in the history using script?

See this example from a short session:

===========================================

Script started on Mon Aug 25 12:00:54 2003
# pwd^M
/home/mad^M
# cd /^M
# q^H ^H^M
# pwd^M
/^M
# pwd^M
/^M
# cd hom^H ^H^H ^H^H ^H/home/mad^M
# pwd^M
/home/mad^M
# ls -^H ^H-la^M
total 5468^M
drwxr-xr-x 6 mad dba 3072 Aug 24 16:09 .^M
drwxr-xr-x 19 mad dba 1024 Aug 23 16:31 ..^M
-rw-r--r-- 1 mad dba 814 Apr 14 2002 .cshrc^M
drwx------ 2 mad dba 96 Aug 4 2002 .elm^M


===========================================
Thanks!
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
twang
Honored Contributor

‎08-25-2003 08:59 AM

‎08-25-2003 08:59 AM

Re: Recording events/commands/history of particular accounts

Assuming the users have the standard POSIX shell (or perhaps ksh), put this in your /etc/profile file:

export HISTFILE=$HOME/.sh_history

Just to be sure, create the shell history file in every user's directory. Assuming (again) that all users have their HOME in the /home directory, do this one time:

umask 077
export PATH=/usr/bin
for MYHOME in /home/*
do
MYUSER=$(basename $MYHOME)
touch $MYHOME/.sh_history
chown $MYUSER $HOME/.sh_history
done
0 Kudos
Reply
John Dvorchak
Honored Contributor

‎08-25-2003 09:02 AM

‎08-25-2003 09:02 AM

Re: Recording events/commands/history of particular accounts

When ever I want to set a variable for everyone I use the /etc/profile file. It is read first at login, so you can make global changes there. But you have to remember that is the users set a variable in their own .profile file, that will be read second and will over ride what you did in /etc/profile.

echo "export HISTSIZE=500" >> /etc/profile

That will set it for you and the next time someone logs in they will have the new HISTSIZE size of 500 lines.
If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎08-25-2003 09:13 AM

‎08-25-2003 09:13 AM

Re: Recording events/commands/history of particular accounts

Hi Adam,

>Where do I set the HISTSIZE globally? For all users instead of per session?

As others said - use /etc/profile.


>Also, is there a place where I can place the "script" command so that it will create a record for all users logging in too?

Once again, if it's for all users, you're going to need to set it up in /etc/profile. For individual users, you can put it in their $HOME/.profile.

>Also, why am I getting recorded a CR character in the history using script?

I'm afraid that's the nature of the script command, you're seeing every keystroke, the backspaces, the carriage returns, everything. Admittedly, it makes it a little awkward to read.


I also just did a little experiment, putting the script command in /etc/profile, then logging in via CDE - it doesn't really work too well. The script file gets created but none of the commands that I execute in various dtterm windows get recorded. I think in this case you would have to add a script command to the button you use to raise the dtterm window.



Pete


Pete
0 Kudos
Reply
Hemanth Gurunath Basrur
Honored Contributor

‎08-25-2003 07:10 PM

‎08-25-2003 07:10 PM

Re: Recording events/commands/history of particular accounts

Hi Adam,

You may want to try samlog_viewer. For more information, refer to:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B3921-90010/B3921-90010_top.html&con=/hpux/onlinedocs/B3921-90010/00/03/317-con.html&toc=/hpux/onlinedocs/B3921-90010/00/03/317-toc.html&searchterms=samlog_viewer&queryid=20030825-210706

Hope this helps.

Regards,
Hemanth
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.