Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
user logon acttivities with dates and terminals
- Thread starter promise1
- Start date
promise,
cd into /var/adm
do
who wtmp
This will list all users who have logged into the system with times and dates from the last time the file was cleared down. Either pipe it to more or lp if you wish.
Cheers
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
cd into /var/adm
do
who wtmp
This will list all users who have logged into the system with times and dates from the last time the file was cleared down. Either pipe it to more or lp if you wish.
Cheers
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
KenCunningham
Technical User
Not sure but I think Promise is after a log of all user activity (keystrokes, commands included)? Difficult one if you want to avoid very big files. However, a combination of PSD's suggestion and .sh_history might give an idea, if the latter is copied to an archive area for each user on a nightly basis. Auditors eh? Who needs 'em? ;-)
Are the auditors......looking for auditing or accounting for your machine?
See below to set up and info on............ PSD is right though who wtmp will give you a list of who and when...as well as checking /etc/security/failedlogin...for hackers on a particular port..... who /etc/security/failedlogin
accounting:
general accounting info
This wont tell you what commands they execute though....like Ken says...I guess it depends on what you are trying to capture?
Be aware that all of these create large files that need to be watched for size....and preened....
See below to set up and info on............ PSD is right though who wtmp will give you a list of who and when...as well as checking /etc/security/failedlogin...for hackers on a particular port..... who /etc/security/failedlogin
accounting:
general accounting info
This wont tell you what commands they execute though....like Ken says...I guess it depends on what you are trying to capture?
Be aware that all of these create large files that need to be watched for size....and preened....
- Thread starter
- #5
Promise,
Well this is not easy the wtmp file will tell you terminal, user and time information but nothing breaks down user logins in terms of commands that have been run. Look at executing the script command when someone logs in, you could set up a simple script to log the user, time and tty and then use script to record the keystrokes, beware though the files will be very large. Or you could copy the .sh_history file to a new location relfecting the time, date e.t.c.
Cheers
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
Well this is not easy the wtmp file will tell you terminal, user and time information but nothing breaks down user logins in terms of commands that have been run. Look at executing the script command when someone logs in, you could set up a simple script to log the user, time and tty and then use script to record the keystrokes, beware though the files will be very large. Or you could copy the .sh_history file to a new location relfecting the time, date e.t.c.
Cheers
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
- Status
