Auditlog for user's commands

[wiltonor]

Hi everyone!

I would like to get a command or prepare a script that gets user's commands on an AIX server. I have tried the lastcomm <UserID> command, but it does not show the parameters.

=>For example, if a user called John removes a file:

rm test.sh

=>And after, I want to know what he has typed:

lastcomm John

=>The result is showed as follows:

rm John
pts/2
0.02 secs Wed Feb 07 14:49

=>But, I would like to get an auditlog containing parameters too. So, it would be showed:

rm test.sh John
pts/2
0.02 secs Wed Feb 07 14:49

Could anyone give me a suggestion concerning this, please?!

I appreciate your attention!

Thanks and Regards,

Wiltonor

 

[newcg]

look in .sh_history file of the user's home directory.

 

[wiltonor]

Hi cgt1 !

You are right!
.sh_history contains the parameters.
But what is strange is that they are not showed through a simple command, such as lastcomm.
Do you think it would be necessary to implement a script to get the whole information from .sh_history? Any suggestion, please?

Thanks in advance!

Wiltonor

 

[newcg]

you want a cmd, type:
history

 

[khalidaaa]

yeah cgt1 is right

man history

 

[mrn]

or enable script in users .profile (but it'll get big)

see man script

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[wiltonor]

Ok folks!

Thanks a lot for your support!

I will get these tips and try to create a script to show user's history (containing all commands and parameters typed before).

Wiltonor

 

[ogniemi]

on AIX 5.3 use can export EXTENDED_HISTORY=ON in /etc/profile and then you will also get date/time when each command was executed. To check the date you should run:

fc -t



you can also increase HISTSIZE variable to avoid .sh_history cut.

 

[wiltonor]

Hello ogniemi !

You have suggested a fine option too!

Thanks a lot for your help!

Wiltonor