HPE Community
Operating System - HP-UX
1830820 Members
2701 Online
110016 Solutions
New Discussion

trimming acct loggings

 
Maurice Peterse
Frequent Advisor

‎06-28-2001 04:34 AM

‎06-28-2001 04:34 AM

trimming acct loggings

I want to put accounting on 1 user only.
Is this possible?

0 Kudos
Reply
5 REPLIES 5
Magdi KAMAL
Respected Contributor

‎06-28-2001 07:17 AM

‎06-28-2001 07:17 AM

Re: trimming acct loggings

Hi,

Yes you can.
1. Go in sam
2. Auditing and Security.
3. Audited users.
4. Convert to trusted system , this will audit all the users by default.
5. Modify ( right button in motif : popup or action menu in ascii mode ) the users list to audit the users you want to aaudit.
0 Kudos
Reply
Rita C Workman
Honored Contributor

‎06-28-2001 07:22 AM

‎06-28-2001 07:22 AM

Re: trimming acct loggings

If your mean you want one user to be set up as a
'trusted environment'. I guess I would have to say, No I don't believe you can do that. A trusted system is a trusted 'SYSTEM'.
But, you could do something about keeping their .sh_history and write a script to keep these for your review to see what a user is keying on the command line. I've done this when I'm watching users.

Now others may come up with some more ideas..or maybe some third party software to help with this.

Just a thought,
Rita
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎06-28-2001 07:39 AM

‎06-28-2001 07:39 AM

Re: trimming acct loggings

Hi Maurice:

You can also get some very rudimentary accounting information (logons) from 'last' and 'lastb'.

To enable logging successful logons, do:

# touch /var/adm/wtmp
# chmod 644 /var/adm/wtmp

To enable logging unsuccessful ones:

# touch /var/adm/btmp
# chmod 644 /var/adm/btmp

These will grow without bounds. To empty them, do:

# cat /dev/null > /var/adm/[w|b]tmp

To manipulate records in these files, use 'fwtmp'.

To see the last three successful logins for 'root', for example, do:

# last -R -3 root

Take a look at the man pages for 'last', for 'fwtmp' and for 'acct' [1M] for more information.

...JRF...
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-28-2001 09:35 AM

‎06-28-2001 09:35 AM

Re: trimming acct loggings

Just a security note about /var/adm/btmp, the permissions for btmp should be 600, not 644. You don't want everyone with a login being able to read the bad login list with lastb. Often users will accidently type in their password at the login prompt and this will be recorded in the btmp file.

By making btmp readable only by root, these mistakes are protected.

Another auditing feature that is often overlooked is the shell history file which is in $HOME/.sh_history by default.


Bill Hassell, sysadmin
0 Kudos
Reply
Maurice Peterse
Frequent Advisor

‎07-02-2001 12:37 AM

‎07-02-2001 12:37 AM

Re: trimming acct loggings

ok, thanx so far, guys

Starting accounting and then putting it just
on 1 user, does that reduce the workload
for the machine (as to putting accounting on all users)?

I need minimal inpact on the machine and i've tested it on a test-machine, but that wasn't a "real" situation.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.