Solved

user activity logging in AIX

Posted on 2009-07-08
5
2,081 Views
Last Modified: 2013-11-17
Hello,

I want to to log every interactive login sessions of each user (including root) in AIX 5.3 in a way that:

1) user can not bypass this mechanism, or delete the logs of his/her sessions
2) just want to log the interactive shells, not the others
3) no performance impact
4) remote logging facility is preferrable

I have found some login scripts including "script command" but these violete the rule #1.
0
Comment
Question by:AnkCBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 14

Expert Comment

by:sjm_ee
ID: 24801987
AIX has a built in accounting system, see http://www.redbooks.ibm.com/abstracts/sg246396.html?Open which can be configured to satisfy (1) and (2) but don't expect a free lunch (3). However I have never known it to have a great performance impact.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24801992
Hi,

do you really mean every single command of any logged-in user?
This could give you tons of output!

Wouldn't it be enough to enable auditing, in a way that only selected, important activities
will be logged? Of course this is configurable according to your needs, as detailed as you like.
An IBM Redbook covering this is here:

http://www.redbooks.ibm.com/abstracts/sg246396.html

IBM provides much more info about auditing.
To find it, start from here:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp


If you want to record everything nonethless, there is an auditing feature in ksh93.
Have a first look at it and find a downloadable audit-enabled version of ksh93 here:

http://www.ibm.com/developerworks/aix/library/au-korn93/index.html?S_TACT=105AGX20&S_CMP=EDU


I think you're right,  'script' is not an option here, as it will start a subshell which could easily be left using 'exit'.

Please come back here and tell me how you'd like to proceed. I would try to help then, if necessary.


wmp
0
 

Author Comment

by:AnkCBS
ID: 24802747
Hello Woolmilkproc,

So far, there are 3 alternatives I have found:

1) with script command (which is "out" for us)

2) audit
I think it is the "PROC_Execute" event which I should enable for each user in order to trace them. In this case I have 2 questions:
a) In the outputs, there is only executable name, there is no parameters which are very important for us (ie. the changed directory in "cd" command)
b) What about in non-interactive shell sessions, does it still collect the audit info of this event

3) ksh93
a) What about after a shell substitution command like "exec bash", the korn shell will be replaced by the bash shell. In this situation, will it continue to log the session?
b)  What about in non-interactive shell sessions, does it still collect the audit info of this event


Furthermore, I am still looking for other good alternatives apart from these three. Are there any you know?

By the way, thanks for the info Norbert, and it is nice to hear from you after a long time.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24803217
Hi Mustafa,
pleased to meet you, too!
1) OK, consent.
2a) The output is formatted according to /etc/security/audit/events. I don't think that one could change the settings there, but I'm still researching ...
2b) If the user running the shell is entitled to be audited, yes.
3a) OK, that's the biggest drawback with ksh93att. I don't think there is a simple solution, besides removing execution rights for 'others' from those shells. A 'restricted' shell would make things a bit easier. You can achieve this by linking your new "audited" ksh93 named e.g. 'ksh93att' to 'rksh93att'.
If you're interested to know how to 'harden' a restricted shell - look at this EE case, where I explained it a bit - 24680534
The logfile of the audited ksh93 needs of course to be writeable, thus corruptible, by everyone. To avoid this, you can fortunately redirect the audit records to syslog (local or remote) which I would strongly recommend.
3b) If non-interactive means running a script, you can always leave the 'shebang' (#!/bin/sh) as is, thus not using the audit enabled shell.
Cheers for now
Norbert (wmp)
 
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question