HPE Community
Operating System - Linux
1822142 Members
3363 Online
109640 Solutions
New Discussion

How to track who has done what and when in Linux

 
senthil_kumar_1
Super Advisor

‎02-24-2012 08:02 AM

‎02-24-2012 08:02 AM

How to track who has done what and when in Linux

Hi All,

 

Is there any feature in Linux (Redha / Suse) like even log viewer of windows where in we can see all activities of the users and OS?

 

 

Is there any third party tool for this?

0 Kudos
Reply
6 REPLIES 6
Nighwish
Frequent Advisor

‎02-27-2012 05:47 AM

‎02-27-2012 05:47 AM

Re: How to track who has done what and when in Linux

Hi

 

 

You can see login through the command "last".

 

To see what user do, you can configure "history" command in the profile of the user:

 

 

set history=200
set savehist=200

 

Regards

0 Kudos
Reply
Alzhy
Honored Contributor

‎03-19-2012 12:05 PM

‎03-19-2012 12:05 PM

Re: How to track who has done what and when in Linux

 

Suggestions:

 

CFENGINE 3  (www.cfengine.org or its Nova Commercial Release)

Install AIDE (Advanced Intrusion Detection Engine? - very similar to  Tripwire )

Install Tripwire (open source or commercial)

 

My primary recommendation would be CFENGINE though as it is IMHo the most advanced, most widely tested and uniqe System Administration / Control Freakery tool that if you master it fully and innovate around it -- could make you a SysAdmin God.

 

;^)

Hakuna Matata.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎03-20-2012 08:50 AM

‎03-20-2012 08:50 AM

Re: How to track who has done what and when in Linux

AIDE and Tripwire are tools for verifying "have these files changed or not?".

CFEngine is a large-scale verification and automation system.

 

But if you simply want to monitor one user in one system, CFEngine would be a massive overkill and AIDE and Tripwire might not be quite fit to the requirements.

 

What you need is the audit subsystem of the Linux kernel. It is included in RHEL, probably SLES too.

 

You can find some documentation of it here:

http://people.redhat.com/sgrubb/audit/

 

The audit subsystem can log user actions at the system call level: if you want, it will log the start-up of any process, and opening of any file by the user. However, you're likely to see more output than you want: you will see that even starting up a simple command like "ls" requires opening multiple files, like system libraries, /etc/timezone, and localization files.

MK
0 Kudos
Reply
Alzhy
Honored Contributor

‎03-23-2012 12:41 PM

‎03-23-2012 12:41 PM

Re: How to track who has done what and when in Linux

I disagree Matti.

 

Companies large and small actually lean more towards CFENGINE these days -- ditto with Tripwire as it offers a consistent tool accross all flavours of Linux and UNIX (heck even Windows).

 

 

Hakuna Matata.
0 Kudos
Reply
rmueller58
Valued Contributor

‎05-01-2012 01:48 PM - edited ‎05-01-2012 01:52 PM

‎05-01-2012 01:48 PM - edited ‎05-01-2012 01:52 PM

Re: How to track who has done what and when in Linux

add the following command to user profiles

 

before hand:

mkdir /var/log/useractivity

chmod 755 /var/log/useractivity

touch /var/log/useractivity/user.log ## EQUALS LINUX USER 

 

in .bash_profile

 

script  -a /var/log/useractivity/$user.log

clear

 

 

0 Kudos
Reply
ManojK_1
Valued Contributor

‎05-02-2012 05:17 AM

‎05-02-2012 05:17 AM

Re: How to track who has done what and when in Linux

Hi,

 

It is possible to track who has done what and when in Linux with the help of bash shell.

 

I have done it in my datacenter for all HP Unix and Linux Servers. Each and every keystroke (command executed) will capture in syslog and the syslog is configured with SIEM so that the same syslog will update in a remote system.

 

Manoj K

 

 

 

 

Thanks and Regards,
Manoj K
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.