04-04-2008
Quote:
Originally Posted by
KeesH
Only problem with that is that the user can see their own .history folder and delete the file, thus deleting the trace....
How can you combat that?
create a directory which is write-only (read is disallowed) and put the history-files there. Thus the shell process will be able to write the history, but the users won't be able to read it.
bakunin
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hello All!
Does anyone know of a nice way to log commands in solaris 8.
What I need is a program or script that saves any command that a user does in solaris command prompt. So when Steven logs in on a system, it should record everything he does, from an ls to exit with timestamps. I've been... (6 Replies)
Discussion started by: dozy
6 Replies
2. UNIX for Dummies Questions & Answers
Hi,
I have been asked if it is possible to track the last time a specific user logged in to the sysetm.
checked my documentation but can't see it there - google is not being very helpful either.
I wonder if someone here can help - it will be much appreciated.
Thanks
Suresh (1 Reply)
Discussion started by: sureshy
1 Replies
3. SCO
:D Hi, I'm searching for a command or commands to see the user and programs activity and who much resources is in use. In Unix I remember a TOP command but in SCO I'm don't find a similar. My system is a UNIX SCO 5.6 Thank's (1 Reply)
Discussion started by: DigitalExecutiv
1 Replies
4. Solaris
Is there a command to find out all the commands ran by a certain user id?
TiA (5 Replies)
Discussion started by: PapaPark
5 Replies
5. AIX
hi all,
the audit /etc/security/audit/config file is only referring one user at a time. how do you specify all users to be monitored?
I've tried ALL = general but got error when invoke "audit start".
thanks (1 Reply)
Discussion started by: itik
1 Replies
6. AIX
Hello everyone
I have this process running on my server.
topas command
User 98.6 |############################
I have this process
Name PID CPU% PgSp Owner
db2fm 565264 25.6 1.5 ldapdb2
db2fm 348328 23.6 ... (4 Replies)
Discussion started by: lo-lp-kl
4 Replies
7. UNIX for Advanced & Expert Users
Hi,
I would like to know if there is anyway that I can pinpoint the user before/after he connects to the root? Also, I'm trying to find out what are the commands he inputs under root access. (6 Replies)
Discussion started by: pointgetter0
6 Replies
8. Red Hat
Hi, I need to log the activity of my SFTP (RHEL 5.4).
I have this in /etc/sshd/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE
And this in /etc/syslog.conf:
LOCAL5.* /var/log/sftp.log
When I log in... (1 Reply)
Discussion started by: Tr0cken
1 Replies
9. AIX
Dear All
When I start the AIX(6100-06)audit subsystem.
the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB.
It will replace the original /audit/stream.out (or /audit/trail).
Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies
10. Shell Programming and Scripting
Need some help in coming up to log all the activity that is used with our common "unix account".
Ideally I am looking for to log the activity in a "separate" file for each session or login until the user logout, I would like to capture the date/time and terminal login and record all the ... (3 Replies)
Discussion started by: rajmanna
3 Replies
audit(4) Kernel Interfaces Manual audit(4)
NAME
audit - audit trail format and other information for auditing
DESCRIPTION
Audit records are generated when users make security-relevant system calls, as well as by self-auditing processes that call (see aud-
write(2)). Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header and a record body. The record header is comprised of sequence number, process ID,
event type, and record body length. The sequence number gives relative order of all records; the process ID belongs to the process being
audited; the event type is a field identifying the type of audited activity; the length is the record body length expressed in bytes.
The record body is the variable-length component of an audit record containing more information about the audited activity. For records
generated by system calls, the body contains the time the audited event completes in either success or failure, and the parameters of the
system calls; for records generated by self-auditing processes, the body consists of the time audwrite(2) writes the records and the high-
level description of the event (see audwrite(2)).
The records in the audit trail are compressed to save file space. When a process is audited the first time, a pid identification record
(PIR) is written into the audit trail containing information that remains constant throughout the lifetime of the process. This includes
the parent's process ID, audit tag, real user ID, real group ID, effective user ID, effective group ID, group ID list, effective, permit-
ted, and retained privileges, compartment ID, and the terminal ID (tty). The PIR is entered only once per process per audit trail.
Information accumulated in an audit trail is analyzed and displayed by (see audisp(1M)).
AUTHOR
was developed by HP.
SEE ALSO
audsys(1M), audevent(1M), audisp(1M), audomon(1M), audwrite(2), audit(5), compartments(5), privileges(5).
audit(4)