Quote:
Originally Posted by
bobochacha29
My question: for example, I'm logging in. I enter command "last" and then I know there are 3 people logging in from 3 different IP at the same time, 2 are in the same account. Then someone enters a command.
The answer is a bit complex as we are (probably) talking about two different scenarios:
1) You want to know who of the persons logged in
right now is executing a certain command in the moment you are looking at it. This is not possible out of the box, but can perhaps be done with a little scripting effort. There is a list of currently running processes (you can see this list using the "ps" command) and if a user is running a process right now you will see it in this list and you will be able to attribute it to a certain user by analysing the "PPID" (parent process ID).
To implement this there is relatively little effort needed, but it will be limited to processes started during the time you monitor. It will not tell you which command has been issued (or who did it) one hour before you started your monitoring.
In addition, this method will be very taxing on the system and in practice will probably not be feasible.
2) You want the same as above, but also for "historical" data. It is no longer possible to do it by monitoring the process list, because once a process ends it will not be remembered there.
Fortunately there is another way you can do that: every command is - technically speaking - a process which is started by some parent process. For normal commands this parent process is the shell the user types the command into. To open a new process from a parent process there are only a few select system functions which do this:
fork() and - ultimately - the
exec()-family.
It is possible to intercept this call and write a log about executed exec()-system calls. Because every log on a system could be manipulated bya root-user it will be necessary to store this log on a remote location where the root user of the system has no root authority any more. One can do that by using the
syslog-facility.
In fact there exists such a program, it is called "snoopylogger" and you can
download it from source forge. I have tried to use it on AIX a few years ago and failed, but it worked well on CentOS/RedHat. It may be working on AIX too by now. You will have to try it.
I hope this helps.
bakunin