log commmands entered by users?

[jpn1]

We are having weird things, well corupted index's on a customers system. We have seen this in the past when a customer uses kill -9 to stop certain processes.

They say no one does this. I know I can log in as a particular user and look through that users history, but on a system with 60+ users. Could take some time.

Maybe I can collect all the history files and then write a parser that would find certain commands.

I am wondering if there is a log file that collects when these commands are issued, or if one can be configured.

 

[hfaix]

You might take a look at AIX audit. I'm not sure if it can do this or not...but it can monitor some unique stuff

 

[jpn1]

I'm not familar with AIX audit, is this 3rd party software?

 

[hfaix]

Nope, it's part of AIX. I run it on 5.2 and 5.3 for some very basic stuff (user and group changes). It's creates a report of who changed what.

Just google it.

 

[hfaix]

Actually...check out:

http://www.redbooks.ibm.com/redbooks/pdfs/sg246020.pdf

look at adobe page (45 out of 200). The page actually says it's "Chapter 2. Auditing on AIX (page) 31"

or search for "kill" in this pdf. It's exactly what you're looking for. It's a bit involved, I guess it depends on how bad you want to know the answer.

 

[jpn1]

WOW thanks, I've setup advanced auditing and can now audit when users use the kill command.
Exactly what I needed. Thanks for the direction.