Solved

user activity logging in AIX

Posted on 2009-07-08
5
1,968 Views
Last Modified: 2013-11-17
Hello,

I want to to log every interactive login sessions of each user (including root) in AIX 5.3 in a way that:

1) user can not bypass this mechanism, or delete the logs of his/her sessions
2) just want to log the interactive shells, not the others
3) no performance impact
4) remote logging facility is preferrable

I have found some login scripts including "script command" but these violete the rule #1.
0
Comment
Question by:AnkCBS
  • 2
5 Comments
 
LVL 14

Expert Comment

by:sjm_ee
ID: 24801987
AIX has a built in accounting system, see http://www.redbooks.ibm.com/abstracts/sg246396.html?Open which can be configured to satisfy (1) and (2) but don't expect a free lunch (3). However I have never known it to have a great performance impact.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24801992
Hi,

do you really mean every single command of any logged-in user?
This could give you tons of output!

Wouldn't it be enough to enable auditing, in a way that only selected, important activities
will be logged? Of course this is configurable according to your needs, as detailed as you like.
An IBM Redbook covering this is here:

http://www.redbooks.ibm.com/abstracts/sg246396.html

IBM provides much more info about auditing.
To find it, start from here:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp


If you want to record everything nonethless, there is an auditing feature in ksh93.
Have a first look at it and find a downloadable audit-enabled version of ksh93 here:

http://www.ibm.com/developerworks/aix/library/au-korn93/index.html?S_TACT=105AGX20&S_CMP=EDU


I think you're right,  'script' is not an option here, as it will start a subshell which could easily be left using 'exit'.

Please come back here and tell me how you'd like to proceed. I would try to help then, if necessary.


wmp
0
 

Author Comment

by:AnkCBS
ID: 24802747
Hello Woolmilkproc,

So far, there are 3 alternatives I have found:

1) with script command (which is "out" for us)

2) audit
I think it is the "PROC_Execute" event which I should enable for each user in order to trace them. In this case I have 2 questions:
a) In the outputs, there is only executable name, there is no parameters which are very important for us (ie. the changed directory in "cd" command)
b) What about in non-interactive shell sessions, does it still collect the audit info of this event

3) ksh93
a) What about after a shell substitution command like "exec bash", the korn shell will be replaced by the bash shell. In this situation, will it continue to log the session?
b)  What about in non-interactive shell sessions, does it still collect the audit info of this event


Furthermore, I am still looking for other good alternatives apart from these three. Are there any you know?

By the way, thanks for the info Norbert, and it is nice to hear from you after a long time.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24803217
Hi Mustafa,
pleased to meet you, too!
1) OK, consent.
2a) The output is formatted according to /etc/security/audit/events. I don't think that one could change the settings there, but I'm still researching ...
2b) If the user running the shell is entitled to be audited, yes.
3a) OK, that's the biggest drawback with ksh93att. I don't think there is a simple solution, besides removing execution rights for 'others' from those shells. A 'restricted' shell would make things a bit easier. You can achieve this by linking your new "audited" ksh93 named e.g. 'ksh93att' to 'rksh93att'.
If you're interested to know how to 'harden' a restricted shell - look at this EE case, where I explained it a bit - 24680534
The logfile of the audited ksh93 needs of course to be writeable, thus corruptible, by everyone. To avoid this, you can fortunately redirect the audit records to syslog (local or remote) which I would strongly recommend.
3b) If non-interactive means running a script, you can always leave the 'shebang' (#!/bin/sh) as is, thus not using the audit enabled shell.
Cheers for now
Norbert (wmp)
 
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
Ensuring effective and secure communication in the age of healthcare BYOD.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question