HP-UX

Yep, under normal circumstances where users log in and do all sorts of funny stuff I'd agree with him. I probably should've elaborated in my original post a bit.

In this case, the account is used exclusively by an automated system, always using the same OS account and always running straight shell commands every so often. All the commands the automated system was configured to run show up in the history, and as often as we would expect it to show up.

My problem with this is a) how did they establish that this account ran the command they're talking about repeatedly? b) if all the other commands show up, why not the one they claim was run?


I accept that it's not as clear cut as every single command an OS account ever runs getting logged in the history files, but in this case I just don't think the sysadmin is on the right track. He's essentially resorted to shifting all blame on to the automated system.


Were it up to me, I'd want the following done:
- Create a completely new, secure, dedicated OS account for use by the automated system only, as I seriously suspect that the OS account they're referring to might just be compromised.
- Configure some serious auditing on this new account. Log who logged in from where and at what time. More to the point, log whenever something other than the automated system logs in to this account.
- Have the sysadmins simply remove any privileges to commands they're not comfortable with users having access to.
- Have the automated system connect to a test system first and have the sysadmins monitor the server for a specified amount of time to make sure nothing happens that they're not happy with.
- If everyone's still happy at this point, carry out the same steps on the proper system.


Anyways, thanks again for all the help guys. And wish me luck!

This is another case...
In history files, you would expect to see all commands typed by the user if in a shellscript ther are many programs-commands called, since the user did not type them on the keyboard, very little chance will you have to see them in $HISTFILE...
Anything cron or other scheduler have their own log facilities that need to be configured adequatly to suit your request, in other words HISTFILE is set for a interactive shell only( logging the STDIN activity...)... This explains why you see nothing...

Which brings me to the other thing I neglected to mention (sorry, as it turns out I left out quite a lot of detail originally).
The automated system uses only Java libraries or plink.exe to connect from a Windows client machine. I know for a fact both the commands configured to run over the Java libs and plink.exe show up fine in the history.

EDIT: Scratch that, seems commands run over plink.exe do not show up... The plot thickens.

---------- Post updated 12-15-11 at 08:51 AM ---------- Previous update was 12-14-11 at 01:19 PM ----------

Quick update regarding this:


Checked, double-checked and checked again that any commands using Java libs show up in the history files. I'm not sure if every single command will show up, but I fully expect at least one instance of a command to show up at least once as the commands are all run every 10 minutes or so.

The commands using plink.exe are a bit trickier as they do not show up for some reason. I'm not sure how I'd go about running plink in such a way to make the O/S treat the session as a normal user SSH session (thereby dumping the commands ni the history files as well), but regardless, I'm reasonably sure the commands we run using plink are fine.
The only times we would use plink is if we connect to the HP-UX O/S by means of custom Python scripts and, since the bulk of these scripts were written by me and reside in a central location, I'm sure the command they claim was run would not have been kicked off by this.


At this point I must add that it turns out there's not just one automated system that connects to this server. It also turns out that the O/S account isn't exclusively used only by this one automated system...

I'll update again if anything worthwhile pops up. Thanks again for the help so far with this guys.