Hello All

I would to know how to find the historique of some commandes (telnet, rm , grep ....) Under AIX


thank for all

Try the fc command. Do a man fc to find out more.

... but what if 'the user' modify or just delete history file ?

How your shell history is kept depends upon your shell (sh, csh, ksh, etc.). You are probably using Korn shell, which defaults to using .sh_history in the user's home directory to store a history in. You can change this by setting HISTFILE in your .profile. I would recommend setting the following in /etc/profile:

USER=`/usr/bin/who am i | /bin/cut -d' ' -f 1`
MYTTY=`/usr/bin/tty`
BASETTY=`/bin/basename ${MYTTY}`
HISTFILE=${HOME}/.hist.${USER}.${BASETTY}
export readonly HISTFILE
HISTORY=100000
export readonly HISTORY

A lot of books espouse using $$, your PID. This is dumb. You get a separate shell history per login, but you create a boatload of files that never get reused. These self same books will tell you to do something stupid like create a cron job to delete any of these that are more than 3 days old. 3 days! Try 6 months! With the above, as you only have one (pseudo) terminal for each login session, each login session will get their own history. However, you will reuse the ttys, so you will reuse the history files. If HISTORY is large enough, however, you'll go back far enough. You can, however, trace back who had which tty when via the "last" command. There is no way to historically trace the PID. If you don't want to reuse the history files, add the date:

DATE=`/bin/date "+%Y%m%d.%H%M"`

I would put it between .hist and ${USER}. The ${USER} part may seem superflous, but if you have some account used by multiple users (like say "oracle"), then this allows you to see who did what. Because you take the username off of "who", you see their name before they su'ed (and of course you are going to set RLOGIN to "no" for a user like oracle so that users are forced to login as themselves and then su to the account, so that you have a paper trail to follow).

If we are talking about some derviative of C shell (csh), you have to put something in the user's .cshrc file (.login will not due) like:

set history = 100000
set savehist = 100000

Actually the first one is how many history command to show when they type "history", so that you might make smaller. No way to make it read-only. No way to set the file's name, it saves in $HOME/.history (like it or not). Furthermore, ksh writes to the history as it goes. csh writes to .history when it exits. Login into two windows, exit out of window A, exit out of window B - the history saved by window A gets overwritten and is lost; only the history of window B gets saved. For this reason, if history is important to you, csh is not your first choice.

Bourne shell doesn't do history at all.

The catch 22 is, if users can write to their history files, users can trash their own history files. Nothing you can do about that (other than say frequent backups).

THank you

And what about history of remote connection ,telnet for exemple
where i can find this informations ??

If you are on computer "A" and you telnet into computer "B", then when you login to computer "B", the shell there will record what you have done. Nothing on computer "A" will be record what commands were issued in the telnet session (which is what I think you are looking for).

If you have used the values for HISTFILE that I recommended (particularly if you add the date), then on compuer "B", you can see the pseudo terminal, and you can use "last" to determine where the user logged in from. You could then use "last" on computer "A" to see who was logged in at that time and go search through their shell histories.

This isn't perfect.

I suppose perhaps you could use "script" to record all input/output of a user session into a file. It's not really made for this sort of thing; putting it in a .profile may get you into an infinate loop. "script" will fire off a shell and when that shell exists, any input/output from that shell gets recorded in a file (defaults to "transcript", but you can pass an argument to write to some other file). Because script fires off shell, if you put it into a .profile, you could fire off a shell that fires off a shell that fires off a shell... infinite loop.
"script" seems to have the level of logging you want, but how to make it work (and how to force users to use it).

I suppose you could packet sniff, say with tcpdump. In next to no time, you'll have a huge file to pick through. I think this would only be practical if you were to target specific users you are suspicous of, etc.

Good evening

I Want to know the IP Address of all machine wich are connected to my server, In UNIX SCO i use "Finger" commande but in AIX I don't know what i can do because finger dont give me IP address
thanks all