HPE Community
Operating System - HP-UX
1834007 Members
1834 Online
110063 Solutions
New Discussion

User Commands

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎07-18-2008 04:46 AM

‎07-18-2008 04:46 AM

User Commands

I know this topic has surfaced because I remember reading about it here, however a search in the ITRC came up short.

I want to trap what commands a team member is issuing after he su's to root. I can look at history but I dont think it shows me all the commands that all sessions have been issuing. Is there a way to see what commands they issue after su'ing?
UNIX IS GOOD
0 Kudos
Reply
5 REPLIES 5
Dennis Handly
Acclaimed Contributor

‎07-18-2008 05:09 AM

‎07-18-2008 05:09 AM

Re: User Commands

There is no real good way. If he can use su without the "-", HISTFILE can be set to nothing. He can also change anything on the system that hasn't been already sent elsewhere.
So probably sudo for each command is a way to track things.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-18-2008 05:47 AM

‎07-18-2008 05:47 AM

Re: User Commands

There is a third party product called PowerPassword that can do things similar to what you require.

It works kind of like sudo, but it does have keystroke logging capabilities.

More information on PowerPassword here:
http://www.symark.com/products/ppoverview.html
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-18-2008 05:53 AM

‎07-18-2008 05:53 AM

Re: User Commands

I think I need more coffee this morning.

The product that does things similar to what you require is actually PowerBroker, NOT PowerPassword as I said above..

More info here:
http://www.symark.com/products/pboverview.html
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎07-18-2008 11:49 PM

‎07-18-2008 11:49 PM

Solution

Re: User Commands

Hi,
As said Powerbroker is a good tool for this. The Pbreplay of Powerbroker can be used to playback the keystroke sessions of root.

You can use the below script which would give you the last 10 lines (tail default) of the history files of the users who used su today (only today). You can just fine tune it according your needs. May be someone can fine tune more logical one based on this.

#!/sbin/sh
TDATE=" `date +'%m/%d'`"
for TUSER in `grep $TDATE /var/adm/sulog| awk ' /root$/ {print $NF}'|cut -d\- -f1|grep -v root`
do
echo ====================================
echo $TDATE
echo $TUSER
echo ====================================
tail ~$TUSER/.sh_history
echo ====================================
sleep 2
done



rgds.
Reply
Sharma Sanjeev
Respected Contributor

‎07-21-2008 01:37 AM

‎07-21-2008 01:37 AM

Re: User Commands

Hi

Keon Boks is very good for this

Regards
Sanjeev
Everything is Possible as " IMPOSSIBLE" word itself says I M POSSIBLE
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.