1834276 Members
2912 Online
110066 Solutions
New Discussion

Re: Tracing a user login

 
Barbara Flynn_1
Frequent Advisor

Tracing a user login

Hi

I am trying to trace the activities of a user on my servers. I can see him logging on to one server at x time from y IP on to z pts.....he then rlogins across to another server but obviuosly gets allocated a different pts......how can I exactly trace his movement from pts z on server a to pts 4 on server 6?

I've used last -R but it doesn't give me what I need, syslog isn't too helpful either, anywhere else I can look?

Thanks Barbara

10 REPLIES 10
RAC_1
Honored Contributor

Re: Tracing a user login

man scirpt

With this you can log all that appears on his screen to a file. But keep in mind that the log file grows rapidly.

Anil
There is no substitute to HARDWORK
Barbara Flynn_1
Frequent Advisor

Re: Tracing a user login

Anil

I don't really understand what you mean. I am trying to trace something that happened already not monitor his future actions......

Cheers Barbara
RAC_1
Honored Contributor

Re: Tracing a user login

If it has already happened, there is no way to know what appeared on his terminal.

If you have auditing enabled for that user, you can check audisp, audevent. If auditing is not enabled, then you can only check for failed logins, his command history (it it was set). The command history file is .sh_history in user's home directory.

Anil
There is no substitute to HARDWORK
Barbara Flynn_1
Frequent Advisor

Re: Tracing a user login

Hi Anil

I am trying to trace what was on his terminal. I am trying to trace just his movement from one server to another.

He started on tty pts/0 on server a and then "rlogined" to server b and was allocated tty pts/a. I need to be able to prove absolutely that it was the same person on both servers and if I can link his pts/a to pts/0 then I have proof. Unforunately he uses a shared account.

Cheers Barbara
Barbara Flynn_1
Frequent Advisor

Re: Tracing a user login

Sorry that should say I am NOT trying to trace what was on his terminal!
RAC_1
Honored Contributor

Re: Tracing a user login

On server b, you should be able to check the syslog/last/lastb, which will tell you all these details.

Anil
There is no substitute to HARDWORK
Barbara Flynn_1
Frequent Advisor

Re: Tracing a user login

Anil

I've done all that but those files don't give me exactly what I am looking for. They provide the originating server name but not the tty.

Thanks Barbara
Gordon  Morrison
Trusted Contributor

Re: Tracing a user login

If you're trying to "follow" him while he moves around, try "who -u" on each server he rlogins to - that will give additional info such as where he logged in from, then "ps |grep " starting at his login process and you can see what else he gets up to. You can also do a "tail -f" on his .sh_history file to see commands as he types them.
What does this button do?
Gordon  Morrison
Trusted Contributor

Re: Tracing a user login

Oops! I forgot he was using a shared account.
Put this line in the shared user's .profile

HISTFILE=.hist$$;

Then do a "who -u" to get his PID, and "tail -f .hist${PID}"
What does this button do?
Peter Godron
Honored Contributor

Re: Tracing a user login

Barbara,
I think you have a problem 'proving' the tty side, especially with a shared account!
You will be able to prove the ipaddress on the second server, but it will only show server one.
Partial proof may be the timestamp?
The rlogin to the second server would be logged in the .sh_history file on the first server.
You may get some more info from the 'last' command on the second server.
Regards