07-11-2005
Has system auditing been switched on ?
If you go into sam -> Auditing and Security. -> "Events."
It won't ask you if you need to convert to a trusted system. If it doesn't ask this then you should be able to find the information in audited users.. That's if the user your wanting to check has been audited against mind you !
This is on HP-UX, on Solaris you need to enable BSM..
Only other command i can think of is who to see who was on the system the time the cron was modified..
Hope this helps..
Kenny
10 More Discussions You Might Find Interesting
1. UNIX Desktop Questions & Answers
hi
my name es juan
i have sco open server 5.0.4 release
i need clear the log files as wtmp
thanks you very much (1 Reply)
Discussion started by: jtapia
1 Replies
2. UNIX for Dummies Questions & Answers
Hello,
is it possible to check logs in UNIX who deleted the files?
Is there logs in UNIX besides .sh_history? (1 Reply)
Discussion started by: james_falco
1 Replies
3. UNIX for Dummies Questions & Answers
Hi.
Is there a way or command (other than netstat) in Unix to find out or get a list a users who FTP into a particular server? Like, say last 1000 users. I need to get the user ID (any info), who FTP to a particular server.
netstat gives only the users who have an FTp session currently.
... (2 Replies)
Discussion started by: manisendhil
2 Replies
4. Linux
Hi,
I need to get a hostory of users who FTP into a server. How can I do it in Linux/Unix? Is there a command for this? I do not want to use netstat -a as it gives only the list of users who have a session currently on the server. Can this be done with the "last" command?
Please do let me... (0 Replies)
Discussion started by: manisendhil
0 Replies
5. UNIX for Advanced & Expert Users
Hi !
I have a FTP site, where I softlinked my server log file.
Now I want to view the logs in IE as I do in unix
Some kind of free tool should be there, Can somebody provide me a pointer.
Thanks. (0 Replies)
Discussion started by: dashok.83
0 Replies
6. UNIX for Advanced & Expert Users
Hi.
Is there a way or command (other than netstat) in Unix to find out or get a list a users who FTP into a particular server? Like, say last 1000 users. I need to get the user ID (any info), who FTP to a particular server.
netstat gives only the users who have an FTp session currently.
... (4 Replies)
Discussion started by: manisendhil
4 Replies
7. HP-UX
Hi,
Hope its good with everyone.
I have the below su logs and i dont understand the bolded numbers. can someone help me please.
Jul 24 11:55:50 su: - 8 username
Jul 24 12:12:40 su: - 10 username
Jul 26 11:15:32 su: - 7 username
I understand these are failed logins but what does that... (1 Reply)
Discussion started by: indraseng
1 Replies
8. UNIX for Dummies Questions & Answers
Hi,
We have one UNIX Server (Sun Solaris), and the files coming to this server from another server.
The problem is, that server is continously sending files to our server via FTP. But the observation is that some files missing in our Server but in that server it shows the files FTPed... (2 Replies)
Discussion started by: vikash.rastogi
2 Replies
9. UNIX for Dummies Questions & Answers
Can any one give a explaination with examples on how to understand file transmission log files in Unix for inbound and outbound traffic. (1 Reply)
Discussion started by: ITDev01
1 Replies
10. UNIX for Dummies Questions & Answers
I'm working on Logs Management System. it requires from all Unix servers to send their logs files to a specific (IP, Port).
Please help me to get the right conf on logs files to send them to that IP and port.
Any suggestions are highly appreciated.
:o:o (0 Replies)
Discussion started by: kinan adra
0 Replies
LEARN ABOUT OSX
audit_user
AUDIT_USER(5) BSD File Formats Manual AUDIT_USER(5)
NAME
audit_user -- events to be audited for given users
DESCRIPTION
The audit_user file specifies which audit event classes are to be audited for the given users. If specified, these flags are combined with
the system-wide audit flags in the audit_control(5) file to determine which classes of events to audit for that user. These settings take
effect when the user logs in.
Each line maps a user name to a list of classes that should be audited and a list of classes that should not be audited. Entries are of the
form:
username:alwaysaudit:neveraudit
In the format above, alwaysaudit is a set of event classes that are always audited, and neveraudit is a set of event classes that should not
be audited. These sets can indicate the inclusion or exclusion of multiple classes, and whether to audit successful or failed events. See
audit_control(5) for more information about audit flags.
Example entries in this file are:
root:lo,ad:no
jdoe:-fc,ad:+fw
These settings would cause login/logout and administrative events that are performed on behalf of user ``root'' to be audited. No failure
events are audited. For the user ``jdoe'', failed file creation events are audited, administrative events are audited, and successful file
write events are never audited.
IMPLEMENTATION NOTES
Per-user and global audit preselection configuration are evaluated at time of login, so users must log out and back in again for audit
changes relating to preselection to take effect.
Audit record preselection occurs with respect to the audit identifier associated with a process, rather than with respect to the UNIX user or
group ID. The audit identifier is set as part of the user credential context as part of login, and typically does not change as a result of
running setuid or setgid applications, such as su(1). This has the advantage that events that occur after running su(1) can be audited to
the original authenticated user, as required by CAPP, but may be surprising if not expected.
FILES
/etc/security/audit_user
SEE ALSO
login(1), su(1), audit(4), audit_class(5), audit_control(5), audit_event(5)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in
2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
AUTHORS
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Addi-
tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
BSD
January 4, 2008 BSD