• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2332
  • Last Modified:

user activity logging in AIX


I want to to log every interactive login sessions of each user (including root) in AIX 5.3 in a way that:

1) user can not bypass this mechanism, or delete the logs of his/her sessions
2) just want to log the interactive shells, not the others
3) no performance impact
4) remote logging facility is preferrable

I have found some login scripts including "script command" but these violete the rule #1.
  • 2
1 Solution
AIX has a built in accounting system, see http://www.redbooks.ibm.com/abstracts/sg246396.html?Open which can be configured to satisfy (1) and (2) but don't expect a free lunch (3). However I have never known it to have a great performance impact.

do you really mean every single command of any logged-in user?
This could give you tons of output!

Wouldn't it be enough to enable auditing, in a way that only selected, important activities
will be logged? Of course this is configurable according to your needs, as detailed as you like.
An IBM Redbook covering this is here:


IBM provides much more info about auditing.
To find it, start from here:


If you want to record everything nonethless, there is an auditing feature in ksh93.
Have a first look at it and find a downloadable audit-enabled version of ksh93 here:


I think you're right,  'script' is not an option here, as it will start a subshell which could easily be left using 'exit'.

Please come back here and tell me how you'd like to proceed. I would try to help then, if necessary.

AnkCBSAuthor Commented:
Hello Woolmilkproc,

So far, there are 3 alternatives I have found:

1) with script command (which is "out" for us)

2) audit
I think it is the "PROC_Execute" event which I should enable for each user in order to trace them. In this case I have 2 questions:
a) In the outputs, there is only executable name, there is no parameters which are very important for us (ie. the changed directory in "cd" command)
b) What about in non-interactive shell sessions, does it still collect the audit info of this event

3) ksh93
a) What about after a shell substitution command like "exec bash", the korn shell will be replaced by the bash shell. In this situation, will it continue to log the session?
b)  What about in non-interactive shell sessions, does it still collect the audit info of this event

Furthermore, I am still looking for other good alternatives apart from these three. Are there any you know?

By the way, thanks for the info Norbert, and it is nice to hear from you after a long time.
Hi Mustafa,
pleased to meet you, too!
1) OK, consent.
2a) The output is formatted according to /etc/security/audit/events. I don't think that one could change the settings there, but I'm still researching ...
2b) If the user running the shell is entitled to be audited, yes.
3a) OK, that's the biggest drawback with ksh93att. I don't think there is a simple solution, besides removing execution rights for 'others' from those shells. A 'restricted' shell would make things a bit easier. You can achieve this by linking your new "audited" ksh93 named e.g. 'ksh93att' to 'rksh93att'.
If you're interested to know how to 'harden' a restricted shell - look at this EE case, where I explained it a bit - 24680534
The logfile of the audited ksh93 needs of course to be writeable, thus corruptible, by everyone. To avoid this, you can fortunately redirect the audit records to syslog (local or remote) which I would strongly recommend.
3b) If non-interactive means running a script, you can always leave the 'shebang' (#!/bin/sh) as is, thus not using the audit enabled shell.
Cheers for now
Norbert (wmp)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now