Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditlog for user's commands

Status
Not open for further replies.

wiltonor

Programmer
Feb 7, 2007
4
BR
Hi everyone!

I would like to get a command or prepare a script that gets user's commands on an AIX server. I have tried the lastcomm <UserID> command, but it does not show the parameters.

=>For example, if a user called John removes a file:

rm test.sh

=>And after, I want to know what he has typed:

lastcomm John

=>The result is showed as follows:

rm John
pts/2
0.02 secs Wed Feb 07 14:49

=>But, I would like to get an auditlog containing parameters too. So, it would be showed:

rm test.sh John
pts/2
0.02 secs Wed Feb 07 14:49

Could anyone give me a suggestion concerning this, please?!

I appreciate your attention!

Thanks and Regards,

Wiltonor
 
look in .sh_history file of the user's home directory.
 

Hi cgt1 !

You are right!
.sh_history contains the parameters.
But what is strange is that they are not showed through a simple command, such as lastcomm.
Do you think it would be necessary to implement a script to get the whole information from .sh_history? Any suggestion, please?

Thanks in advance!

Wiltonor
 
or enable script in users .profile (but it'll get big)

see man script

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
Ok folks!

Thanks a lot for your support!

I will get these tips and try to create a script to show user's history (containing all commands and parameters typed before).

Wiltonor

 
on AIX 5.3 use can export EXTENDED_HISTORY=ON in /etc/profile and then you will also get date/time when each command was executed. To check the date you should run:

fc -t



you can also increase HISTSIZE variable to avoid .sh_history cut.


 
Hello ogniemi !

You have suggested a fine option too!

Thanks a lot for your help!

Wiltonor
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top