- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How to track commands issued by particular use...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2018 12:11 AM
12-04-2018 12:11 AM
How to track commands issued by particular user in the last 3 days
Hi
I m trying to track commands that a partucular user issued in that last few days, but with no success. I have issued the following commands: "history -200", "last", one command that did not quite understand was the output of:
who -aHT . run-level 3 Oct 31 16:14 3 0 S . system boot Oct 31 16:14 vxenable . Oct 31 16:14 0:03 263 id=vxen term=0 exit=1 bcheckrc . Oct 31 16:14 0:03 264 id=brc1 term=0 exit=0 cat . Oct 31 16:14 0:03 354 id=cprt term=0 exit=0 clu_spaw . Oct 31 16:14 0:03 355 id=cspd term=0 exit=127 rm . Oct 31 16:14 0:03 357 id=ems1 term=0 exit=0 sh . Oct 31 16:14 0:03 359 id=ems2 term=0 exit=0 fsdaemon . Oct 31 16:14 0:03 362 id=fs01 term=0 exit=0 fsdaemon x . Oct 31 16:14 0:03 364 id=fs02 fsdaemon . Oct 31 16:14 0:03 365 id=fs03 term=0 exit=0 sh . Oct 31 16:14 0:03 366 id=link term=0 exit=0 rc . Oct 31 16:15 0:03 369 id=sqnc term=0 exit=0 NAME LINE TIME IDLE PID COMMENTS LOGIN + console Oct 31 16:28 old 3148 system console krsd x . Oct 31 16:15 0:03 2750 id=krsd sfd x . Oct 31 16:15 0:03 2751 id= sfd esmd x . Oct 31 16:15 0:03 2752 id=esmd cimserve x . Oct 31 16:15 0:03 2753 id=cim1 sh . Oct 31 16:15 0:03 2754 id=ems3 term=0 exit=0 p_client x . Oct 31 16:15 0:03 2757 id=ems4 iocdsfd x . Oct 31 16:15 0:03 2758 id=cdsf clu_dsf_ . Oct 31 16:15 0:03 2759 id=cdin term=0 exit=0 utild x . Oct 31 16:15 0:03 2760 id=util bscsprod - pts/0 Dec 4 08:52 0:10 12548 10.100.4.28 bscsprod - pts/ta Dec 4 09:04 0:30 12930 10.100.4.76 . pts/1 Nov 7 09:28 old 3657 id= 1 term=0 exit=0 . pts/2 Nov 16 12:01 old 7307 id= 2 term=0 exit=0 bscsprod pts/tb Oct 11 13:59 old 25691 id= tb term=0 exit=0 bscsprod - pts/tc Dec 4 09:12 0:09 13293 10.100.4.39 bscsprod pts/td Oct 29 18:53 old 8474 id= td term=0 exit=0 bscsprod pts/te Nov 12 17:25 old 28751 id= te term=0 exit=0 payments pts/tf Nov 8 19:08 old 5480 id= tf term=0 exit=0 root - pts/3 Dec 4 09:43 . 14427 10.100.4.72 bscsprod pts/tg Nov 9 02:18 old 19588 id= tg term=0 exit=0 . pts/4 Nov 30 18:18 old 26679 id= 4 term=0 exit=0 bscsprod - pts/5 Dec 4 10:07 0:02 15384 10.100.4.28 bscsprod pts/th Nov 8 19:23 old 5239 id= th term=0 exit=0 bscsprod pts/ti Nov 9 01:47 old 20863 id= ti term=0 exit=0 bscsprod pts/tj Nov 2 18:51 old 2382 id= tj term=0 exit=0 . pts/6 Dec 3 17:25 20:31 1809 id= 6 term=0 exit=0 . pts/7 Dec 3 21:19 15:54 9707 id= 7 term=0 exit=0 mcelbgh[310]/ #
did not understand the two docts under the username on the last two lines of this output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2018 07:32 PM
12-04-2018 07:32 PM
Re: How to track commands issued by particular user in the last 3 days
bscsprod pts/tj Nov 2 18:51 old 2382 id= tj term=0 exit=0 . pts/6 Dec 3 17:25 20:31 1809 id= 6 term=0 exit=0 . pts/7 Dec 3 21:19 15:54 9707 id= 7 term=0 exit=0
bscsprod logged in more than 24 hours ago (old) and has been inactive since then (Nov 2).
The user created a new shell session was started (typing the login command for example) using device file pts/6, then from that login, started another new shell session with pts/7 about 4 hours later. The dots indicate sublogins.
The who and last commands won't tell you what that user typed, just when they started and finished their sessions. The actual list of commands is stored in the file named in the user's session variable $HISTFILE. If you login as that user, then the shell's history command (which is aliased to fc) will report the most recent 10 commands typed by that user. To see all the commands, make a copy of the file $HISTFILE (by default, ~/.sh_history for ksh or POSIX shell) to examine offline. The history file has binary codes imbedded which render the history command non-functional is the history file is modified. There is no timestamp provided with these commands.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2018 11:43 PM
12-04-2018 11:43 PM
Re: How to track commands issued by particular user in the last 3 days
Many thanks for the reply, but I guess $HISTFILE variable is not set by the typing of the following:
echo $HISTFILE sh: HISTFILE: Parameter not set.
inside the user home directory.
Can I set this parameter in the .profile file in root directory, or must be in the user´s home directory? Because in its home directory there is only normal files..... user files I mean
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2018 01:27 AM
12-05-2018 01:27 AM
Re: How to track commands issued by particular user in the last 3 days
Hi
I did found the ".sh_history" of some users, and I went through some of them, but with no "rm" command on it.
Can an "rm" command can oly be found to be used if auditing is enable?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2018 02:39 AM - edited 12-05-2018 06:29 AM
12-05-2018 02:39 AM - edited 12-05-2018 06:29 AM
Re: How to track commands issued by particular user in the last 3 days
export HISTFILE=~/.sh_history
export HISTSIZE=2000
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2018 02:47 AM - edited 12-05-2018 06:30 AM
12-05-2018 02:47 AM - edited 12-05-2018 06:30 AM
Re: How to track commands issued by particular user in the last 3 days
Finally, a file cannot be removed if the directory permissions don't allow it. 777 is a bad directory permission.
Bill Hassell, sysadmin