Solved

user activity logging in AIX

Posted on 2009-07-08
5
2,015 Views
Last Modified: 2013-11-17
Hello,

I want to to log every interactive login sessions of each user (including root) in AIX 5.3 in a way that:

1) user can not bypass this mechanism, or delete the logs of his/her sessions
2) just want to log the interactive shells, not the others
3) no performance impact
4) remote logging facility is preferrable

I have found some login scripts including "script command" but these violete the rule #1.
0
Comment
Question by:AnkCBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 14

Expert Comment

by:sjm_ee
ID: 24801987
AIX has a built in accounting system, see http://www.redbooks.ibm.com/abstracts/sg246396.html?Open which can be configured to satisfy (1) and (2) but don't expect a free lunch (3). However I have never known it to have a great performance impact.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24801992
Hi,

do you really mean every single command of any logged-in user?
This could give you tons of output!

Wouldn't it be enough to enable auditing, in a way that only selected, important activities
will be logged? Of course this is configurable according to your needs, as detailed as you like.
An IBM Redbook covering this is here:

http://www.redbooks.ibm.com/abstracts/sg246396.html

IBM provides much more info about auditing.
To find it, start from here:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp


If you want to record everything nonethless, there is an auditing feature in ksh93.
Have a first look at it and find a downloadable audit-enabled version of ksh93 here:

http://www.ibm.com/developerworks/aix/library/au-korn93/index.html?S_TACT=105AGX20&S_CMP=EDU


I think you're right,  'script' is not an option here, as it will start a subshell which could easily be left using 'exit'.

Please come back here and tell me how you'd like to proceed. I would try to help then, if necessary.


wmp
0
 

Author Comment

by:AnkCBS
ID: 24802747
Hello Woolmilkproc,

So far, there are 3 alternatives I have found:

1) with script command (which is "out" for us)

2) audit
I think it is the "PROC_Execute" event which I should enable for each user in order to trace them. In this case I have 2 questions:
a) In the outputs, there is only executable name, there is no parameters which are very important for us (ie. the changed directory in "cd" command)
b) What about in non-interactive shell sessions, does it still collect the audit info of this event

3) ksh93
a) What about after a shell substitution command like "exec bash", the korn shell will be replaced by the bash shell. In this situation, will it continue to log the session?
b)  What about in non-interactive shell sessions, does it still collect the audit info of this event


Furthermore, I am still looking for other good alternatives apart from these three. Are there any you know?

By the way, thanks for the info Norbert, and it is nice to hear from you after a long time.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24803217
Hi Mustafa,
pleased to meet you, too!
1) OK, consent.
2a) The output is formatted according to /etc/security/audit/events. I don't think that one could change the settings there, but I'm still researching ...
2b) If the user running the shell is entitled to be audited, yes.
3a) OK, that's the biggest drawback with ksh93att. I don't think there is a simple solution, besides removing execution rights for 'others' from those shells. A 'restricted' shell would make things a bit easier. You can achieve this by linking your new "audited" ksh93 named e.g. 'ksh93att' to 'rksh93att'.
If you're interested to know how to 'harden' a restricted shell - look at this EE case, where I explained it a bit - 24680534
The logfile of the audited ksh93 needs of course to be writeable, thus corruptible, by everyone. To avoid this, you can fortunately redirect the audit records to syslog (local or remote) which I would strongly recommend.
3b) If non-interactive means running a script, you can always leave the 'shebang' (#!/bin/sh) as is, thus not using the audit enabled shell.
Cheers for now
Norbert (wmp)
 
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question