HPE Community
Operating System - HP-UX
1835263 Members
2554 Online
110078 Solutions
New Discussion

Sending User Activity to a log file.

 
Ben_31
Advisor

‎07-12-2002 06:14 AM

‎07-12-2002 06:14 AM

Sending User Activity to a log file.

I want to monitor a few user accounts. I really want to keep a log with dates and times of all actions/commands that are done with these specific user ID's.

Is there a good document that describes an organized way to do this.

I would rather avoid having to turn on debug level output for every daemon on the box and making users use a hacked shell that logged command line activity. I was hoping there was some other way of doing it.
0 Kudos
Reply
11 REPLIES 11
Steven Sim Kok Leong
Honored Contributor

‎07-12-2002 06:20 AM

‎07-12-2002 06:20 AM

Re: Sending User Activity to a log file.

Hi,

One simple but crude hack would be to make use of .sh_history, and run a cron job that adds an interval timestamp into it.

0,5,10,15,20,25,30,35,40,45,50,55 * * * * date >> /user1/.sh_history

In this way, you can tell that a command has been executed in a time with an error correction of -5 mins to +5 mins.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-12-2002 06:22 AM

‎07-12-2002 06:22 AM

Re: Sending User Activity to a log file.

Hi Ben,

An easy way to do this would be to run a cron job every so many minutes that copies off their shell history file somewhere for perusal.
Unfortunately the history file doesn't log dates/times, but this could be roughly inferred if you include date/time stamp when you copy the file & them diff them.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
V. V. Ravi Kumar_1
Respected Contributor

‎07-12-2002 06:22 AM

‎07-12-2002 06:22 AM

Re: Sending User Activity to a log file.

hi,

convert the system into trusted one and u can enable auditing for the users.

u can specify which events (like create,delete etc) and system calls to be audited.

better u use SAM to do it.
regds
Never Say No
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-12-2002 06:22 AM

‎07-12-2002 06:22 AM

Re: Sending User Activity to a log file.

Hi,

To enable history, if using sh/bash/ksh, you have to put this in /etc/profile e.g.:

export HISTFILE=$HOME/.sh_history
export HISTSIZE=5000

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steve Steel
Honored Contributor

‎07-12-2002 06:39 AM

‎07-12-2002 06:39 AM

Re: Sending User Activity to a log file.

Hi

Something like this in background..


tail -f .history|while read line
do
logger $LOGNAME":"$line
done

Logger write in syslog

tail /var/adm/syslog/syslog.log
Jul 12 16:37:08 xantia steves: steves:ls -a
Jul 12 16:37:08 xantia steves: steves:cat .history
Jul 12 16:37:08 xantia steves: steves:tail -f .history
Jul 12 16:37:08 xantia steves: steves:ps
Jul 12 16:37:08 xantia steves: steves:tail -f .history|while read line
Jul 12 16:37:08 xantia steves: steves:do
Jul 12 16:37:08 xantia steves: steves:logger $LOGNAME":"$line
Jul 12 16:37:09 xantia steves: steves:done
Jul 12 16:37:12 xantia steves: steves:ps
Jul 12 16:37:15 xantia steves: steves:cd /


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Ben_31
Advisor

‎07-12-2002 07:58 AM

‎07-12-2002 07:58 AM

Re: Sending User Activity to a log file.

Thanks for all the suggestions. I that shell histories aren't enough. Because they can be modified, redirected or turned off by the users themselves.

I thought about turning accounting on the systems but that really just tells me which processes run and what sys-calls they make. That information is really pretty cryptic and unuseable....

I was kind of wondering if there was another solution that I hadn't heard of yet...

Oh well.

0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-12-2002 10:01 AM

‎07-12-2002 10:01 AM

Re: Sending User Activity to a log file.

Hi (again) Ben,

Take another look at Steve Steel's answer.
It's tailing the history file so entries are essentially being tee'd to the syslog.log file as they hit the history file.
If you set proper perms on syslog file the user's *actual* command history cannot be altered.
Also gives you something to compare the user's actual history file to & easily spot alteration.
As well as the ability to spot the user changing history files - entries quit showing up - they're using a diff hist file. If you're concerned about a cron job being spotted, you can run it via remsh from another system. Run it as root & the user cannot kill it.
I think Steve pegged it pretty well.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Ben_31
Advisor

‎07-12-2002 10:41 AM

‎07-12-2002 10:41 AM

Re: Sending User Activity to a log file.

Jeff, you are right, Steve is pretty close... Well I gave you 7 points but I guess I should have given it to Steve instead. My boss asked me this rather open question about "auditing" user activity. If it was just for login shell activity Steve's answer would probably work great. But I don't know if my boss also will want to know about activity through the scp and sftp and rexec etc.

I could turn on strict logging for all of those things and do Steve's suggestion as well, but I think that it will get pretty tough to coallate and analyze those logs.
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎07-15-2002 02:01 AM

‎07-15-2002 02:01 AM

Re: Sending User Activity to a log file.

[I'm not a lawyer and don't even play one on TV, and let's leave my employer out of this, but ...]

I don't know which country you are in, but I advise to check if what you are asked to do is *legal*, i.e. don't assume it is legal because your manager asked you to do it.

For what it is worth, in our country, The Netherlands (aka 'Holland'), that kind of monitoring would not be legal, unless there was already a valid suspicion against the user(s) involved.
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎07-15-2002 02:04 AM

‎07-15-2002 02:04 AM

Re: Sending User Activity to a log file.

On the *technical* side:

Also have a look at script(1). It will probably not help with abusers/'hackers'/etc., but might be useful for helping good-willing users.
0 Kudos
Reply
Ben_31
Advisor

‎07-15-2002 05:47 AM

‎07-15-2002 05:47 AM

Re: Sending User Activity to a log file.

As far as legality, in the US people have very few rights to privacy when they are in the office using company equipment.

I have never heard of an employer being sued in the US for doing anything they wanted on a dedicated server. Even e-mail and instant messaging gets snooped by companies here. If you are in the office using a company machine on the company network you have no expectation of privacy.

A previous employer of mine had international offices and a German employee (based in a German office) sued the company on the grounds that we intercepted his e-mail and violated his privacy. Turns out that the server that we looked at the e-mail on was in the US, even though the e-mail was originated and destined for residents of Germany.

The German legal system said that the employee had no recourse since he knew that he was working for an American company and that when his communications were in Germany they were treated legally, but when they left Germany they were treated the same way that the companies non-German communications were treated. However the court said this was a special case of an IT dept. worker who should have known better. The court said that our company should have all the other German employees sign a statement acknoledging that their communications were not private if/when they left German borders.

I will look into "script" and see what it does.

Thanks,
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.