Solved

user activity logging in AIX

Posted on 2009-07-08
5
1,988 Views
Last Modified: 2013-11-17
Hello,

I want to to log every interactive login sessions of each user (including root) in AIX 5.3 in a way that:

1) user can not bypass this mechanism, or delete the logs of his/her sessions
2) just want to log the interactive shells, not the others
3) no performance impact
4) remote logging facility is preferrable

I have found some login scripts including "script command" but these violete the rule #1.
0
Comment
Question by:AnkCBS
  • 2
5 Comments
 
LVL 14

Expert Comment

by:sjm_ee
ID: 24801987
AIX has a built in accounting system, see http://www.redbooks.ibm.com/abstracts/sg246396.html?Open which can be configured to satisfy (1) and (2) but don't expect a free lunch (3). However I have never known it to have a great performance impact.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24801992
Hi,

do you really mean every single command of any logged-in user?
This could give you tons of output!

Wouldn't it be enough to enable auditing, in a way that only selected, important activities
will be logged? Of course this is configurable according to your needs, as detailed as you like.
An IBM Redbook covering this is here:

http://www.redbooks.ibm.com/abstracts/sg246396.html

IBM provides much more info about auditing.
To find it, start from here:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp


If you want to record everything nonethless, there is an auditing feature in ksh93.
Have a first look at it and find a downloadable audit-enabled version of ksh93 here:

http://www.ibm.com/developerworks/aix/library/au-korn93/index.html?S_TACT=105AGX20&S_CMP=EDU


I think you're right,  'script' is not an option here, as it will start a subshell which could easily be left using 'exit'.

Please come back here and tell me how you'd like to proceed. I would try to help then, if necessary.


wmp
0
 

Author Comment

by:AnkCBS
ID: 24802747
Hello Woolmilkproc,

So far, there are 3 alternatives I have found:

1) with script command (which is "out" for us)

2) audit
I think it is the "PROC_Execute" event which I should enable for each user in order to trace them. In this case I have 2 questions:
a) In the outputs, there is only executable name, there is no parameters which are very important for us (ie. the changed directory in "cd" command)
b) What about in non-interactive shell sessions, does it still collect the audit info of this event

3) ksh93
a) What about after a shell substitution command like "exec bash", the korn shell will be replaced by the bash shell. In this situation, will it continue to log the session?
b)  What about in non-interactive shell sessions, does it still collect the audit info of this event


Furthermore, I am still looking for other good alternatives apart from these three. Are there any you know?

By the way, thanks for the info Norbert, and it is nice to hear from you after a long time.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24803217
Hi Mustafa,
pleased to meet you, too!
1) OK, consent.
2a) The output is formatted according to /etc/security/audit/events. I don't think that one could change the settings there, but I'm still researching ...
2b) If the user running the shell is entitled to be audited, yes.
3a) OK, that's the biggest drawback with ksh93att. I don't think there is a simple solution, besides removing execution rights for 'others' from those shells. A 'restricted' shell would make things a bit easier. You can achieve this by linking your new "audited" ksh93 named e.g. 'ksh93att' to 'rksh93att'.
If you're interested to know how to 'harden' a restricted shell - look at this EE case, where I explained it a bit - 24680534
The logfile of the audited ksh93 needs of course to be writeable, thus corruptible, by everyone. To avoid this, you can fortunately redirect the audit records to syslog (local or remote) which I would strongly recommend.
3b) If non-interactive means running a script, you can always leave the 'shebang' (#!/bin/sh) as is, thus not using the audit enabled shell.
Cheers for now
Norbert (wmp)
 
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question