You asked:
> I need to research internal actions by co-workers. Any file that contains communication information such as telnet, ftp etc. As well as any commands run by root.
Sounds like your system is having problems due to too many root users or inexperienced users. It's not going to be a simple task but here are the top level pieces:
last -R user_login
(that shows each time the user logs in and from what IP/hostname or serial port)
cat /home/user_login/.sh_history
(shows all commands typed into the shell by the user)
user_login can be any user or for root, login as root and cat the .sh_history file as well as running last as in: last -R root
Check for duplicate root users (a very bad security problem) by typing this into a file called chkrootid:
#!/usr/bin/sh
cut -f1,3 -d: /etc/passwd \
| tr ":" " " \
| while read USER UID
do
[[ $UID = 0 ]] && echo "user $USER is $UID"
done
Then chmod 700 chkrootid and run it as: ./chkrootid and you should get only one entry. Multiple entries are not good. You'll need sudo to distribute limited root privileges.
Now for a true security breach, the steps are quite involved depending on the sophistication of the attacker. First you have to determine: are the problems related to inexperienced users making dumb mistakes, or are the problems due to disgruntled employees, or has there been an actual attack on the system where a sophisticated user (perhaps a temp worker or contractor?) has broken in? That will likely require a security professional familiar with HP-UX and security problems.
Tools such as Bastille, sudo, ssh, etc are used to harden the system before it goes onto the network and are primarily used to prevent attacks, not detect them. IDS/9000 is a good product but will need some time to setup and some effort to monitor.
Bill Hassell, sysadmin
