HPE Community
Operating System - HP-UX
1839615 Members
2547 Online
110151 Solutions
New Discussion

user login record

 
Yu Zhen_1
Occasional Contributor

‎12-04-2001 05:14 PM

‎12-04-2001 05:14 PM

user login record

someone has make some modification on the system, and I'm trying to spot who make the change, from where(IP address). Which log or command can show me this information?
0 Kudos
Reply
5 REPLIES 5
Steven Sim Kok Leong
Honored Contributor

‎12-04-2001 05:24 PM

‎12-04-2001 05:24 PM

Re: user login record

Hi,

For usage accounting, you can use runacct (run accounting mode) and acctcom (list accounting records). man runacct and man acctcom for more information. This comes with HP-UX PRM application.

To track what the opened files and opened processes from a specific IP address, you can only perform it in real-time mode using lsof. lsof is a third-party utility that does not come with HP-UX.

If you just want to monitor the network services used from a particular IP. In historical mode, enable inetd -l for inetd logging. In real-time mode, use netstat -f inet or lsof.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Michael Tully
Honored Contributor

‎12-04-2001 06:02 PM

‎12-04-2001 06:02 PM

Re: user login record

Hi,

Unless you already have some sort of
system accounting or auditing, it would
be extremely difficult.

To prevent this occurance first thing to
do would be search the system for any
files that are:

-rw-rw-rw- 1 root root 1116 Dec 2 05:33 file
or
-rwxrwxrwx 1 root root 1116 Dec 2 05:33 file

and change them to more appropriate privleges.

Change the root password.
Search through the /var/adm/sulog for the persons responsible that should not have access.
Make sure that you /var/adm/inetd.sec file
is secure.
Implement something like 'sudo' to assist in
your security.
Add the word 'console' to /etc/securetty
(without the quotes) so that users cannot login
directly as root.

HTH
-Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎12-04-2001 06:44 PM

‎12-04-2001 06:44 PM

Re: user login record

Hello,

I'm afraid it will be a difficult if not imposible task to get the information you want. You can use the "last" command to see when people logged in. You can use "who -a /var/adm/wtmp" and get more information. /var/adm/sulog lists people who changed accounts with "su". /var/adm/syslog/syslog.log may have some information depending on the logging options you have. Most of this is not going to tell you who did what though. Unless you had a tool in place before-hand, you're going to be very limited in what you can find.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Michael Tully
Honored Contributor

‎12-04-2001 06:50 PM

‎12-04-2001 06:50 PM

Re: user login record

Hi,

If you track down the person through
either /var/adm/syslog/syslog.log
or /var/adm/sulog you could look
into their home directory and view
their .sh_history file

If they are smart enough they will have
already covered their tracks, but they
may not have.

-Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎12-04-2001 06:53 PM

‎12-04-2001 06:53 PM

Re: user login record

Hi,

Enabling auditing would help in most way.
If you have doubt on somebody who could possibly making changes than by checking .history file in that perticular users home directory.
Who -R would show you the person loging in from where, when he had logged in.

-USA..

Good Luck..
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.