.profile controls 2

[RaulGB]

Hi,

We are currently working in AIX 4.3.3, and experiencing some problems that we need to find out the cause rather urgently.

The .profile file of each user allows them to get into the application that they are working on, right after finishing their work (i.e. exiting the application), the .profile issues an "exit" command in order to get them out of the server, but we are suspicious that some users might be finding a way to get out of the application and ending up at the prompt (skipping the "exit" command), this is what we are trying to prevent, is there a way you can suggest us that will allow us to do this?

Another thing that we would want to do is to enable some auditing software that will allow us to check exactly what commands are being issued by each user, right now, what we have is the ".sh_history" file that we can check for each user, but this file can be deleted so it would be untraceable to see what each user is doing.

Thanks in advance for your help, best regards.

Randal.

 

[sbix]

You have to modify the .profile by trapping the Ctrl+C SIGNAL using "trap" command
The trap command must be in the first lines of the script.
This command traps the signal specified and execute the specified command, which could be also a function
something like

trap 'CTRL-C' 1 #Transfer control to CTRL-C
trap 'CTRL-C' 2
trap 'CTRL-C' 5

#
# Function CTRL-C
# Used to prevent illegal exit
CTRL-C {
.... perform some check or logging ..
exit
}

 

[DSMARWAY]

hi ,
just to add a few more things , if you type kill -l ( thats l for lego ) will list all trap signals , and if you look at
/usr/include/sys/signal.h will give you a brief description of what traps 1,2 & 5 are i.e.
trap 1 /* hangup, generated when terminal disconnects */
trap 2 /* interrupt, generated from terminal special char */
trap 5 /* (*) trace trap (not reset when caught) */

You can turn accounting on AIX , by issuing

/usr/bin/su - adm -c /usr/sbin/acct/startup

susequently shutacct to stop it .

This creates a large file in /var/adm/ called pacct
either you can link this to an area where you have a lot of space or you can use or use ckpacct command to set how big you want pacct file to be and if it reaches this size accounting is turned off

To view the pacct file use the accton command

from man page accton
convert file to ASCII

/usr/sbin/acct/acctprc1 < /var/adm/pacct >out.file



HTH

 

[Ogzilal]

Hi,

You can use exec command to load your application in the started shell session initaited by the user, so there is no shell running after the application is stopped.

guess your .profile is like :

PATH=...
running_your_appli
exit

It's better to do:
PATH=...
exec running_your_appli



The exec command loads your application in the memory where the shell was running before starting your application. There is no shell running after exec.

 

[Gloups]

Here is another way to do it, you may simplu change the initial program.

Instead of /usr/bin/sh you may put directly the path to each user program they have to work with.

Normaly they can't have a shell prompt and then you are not oblige to log users commands.

 

[Yegolev]

also read man pages on Rsh (not rsh). that is the restricted shell and, properly configured, will remove any sort of worry about users breaking out of their applications.

IBM Certified -- AIX 4.3 Obfuscation

 

[RaulGB]

thanks a lot for the responses.