AIX

Hi

I'm working on AIX.

My question: for example, I'm logging in. I enter command "last" and then I know there are 3 people logging in from 3 different IP at the same time, 2 are in the same account. Then someone enters a command.

Is there any way to know exactly who ( which IP ) enters that command ?

Thank for read ( my English is not good )

no, not that I can think of simple, but you have the possibility to create a history file per logging which could achieve the history part, but you will be in the same situation if both users typed same command at one time because in .sh_history there is kept only the history of what one typed not the time...

who or who -u
should also show who is logged in.
If the user's command is still running, then ps -ef or ps -fp pid shows a terminal (tty or pty) that you can match with the one from who or last.

The answer is a bit complex as we are (probably) talking about two different scenarios:

1) You want to know who of the persons logged in right now is executing a certain command in the moment you are looking at it. This is not possible out of the box, but can perhaps be done with a little scripting effort. There is a list of currently running processes (you can see this list using the "ps" command) and if a user is running a process right now you will see it in this list and you will be able to attribute it to a certain user by analysing the "PPID" (parent process ID).

To implement this there is relatively little effort needed, but it will be limited to processes started during the time you monitor. It will not tell you which command has been issued (or who did it) one hour before you started your monitoring.

In addition, this method will be very taxing on the system and in practice will probably not be feasible.

2) You want the same as above, but also for "historical" data. It is no longer possible to do it by monitoring the process list, because once a process ends it will not be remembered there.

Fortunately there is another way you can do that: every command is - technically speaking - a process which is started by some parent process. For normal commands this parent process is the shell the user types the command into. To open a new process from a parent process there are only a few select system functions which do this: fork() and - ultimately - the exec()-family.

It is possible to intercept this call and write a log about executed exec()-system calls. Because every log on a system could be manipulated bya root-user it will be necessary to store this log on a remote location where the root user of the system has no root authority any more. One can do that by using the syslog-facility.

In fact there exists such a program, it is called "snoopylogger" and you can download it from source forge. I have tried to use it on AIX a few years ago and failed, but it worked well on CentOS/RedHat. It may be working on AIX too by now. You will have to try it.

I hope this helps.

bakunin

I can get the ppid of the processs, but how to get the detail informations from that ppid. For example, I know process's user is "guest", process's PPID is 1000000, but there are both 2 people using user "guest" from 2 diferent IP. So how to know which people ( IP ) begin the process ??

With the PPID and the PID you can reconstruct "trees" of processes. Here is an example: a user types "ls" on the commandline. The following has happened:

The "login"-process has started a login-shell for that user. Because this shell is attached to a (maybe virtual) terminal you can distinguish separate sessions of the same user. They will differ in the terminal they use. This shell now starts another process, "ls".

Searching the process list for the user will give you some entries including the "ls" process. Read the PPID field and search the list again for a process having this process number in the PID field. This is the process which has started the "ls"-process - the shell it was started from. With the process information from this shell you find out which session of the user originated the process.

I hope this helps.

bakunin

Get it

Thanks a lot