Re: Tracking User activity on 4.3.3

From: Justin Bleistein (justin.bleistein_at_TOWERSPERRIN.COM)
Date: 11/09/05

  • Next message: AIX Geek: "Re: Tracking User activity on 4.3.3" 
    Date:         Wed, 9 Nov 2005 10:54:27 -0500
To: aix-l@Princeton.EDU

    Well, the tools I use are on the AIX system. There are alot of native
    tools you could use which are part of the Unix system AIX is based on. For
    instance
    "/var/adm/sulog", the "last" command, etc... You could also use some
    creative Perl programming, or Unix shell scripting, (pick your poison).
    Now, for the big guns.. AIX has a built in tool which is installed as part
    of the: "bos.rte.security". AIX auditing, this tool will allow you to
    setup classes. These classes can monitor everything on the system, from
    what files they are accessing, when they log in, to when they create a
    cron job. It's free and part of the o/s. There are many
    great redbooks out there at: "http://www.ibm.com/redbooks". It's called
    creatively enough: "AIX Auditing and Accounting". Accounting is also a
    free feature
    you can turn on, as well as TCB(Well that can only be turned on at system
    BOS installation), and RMC for monitoring and notifying. Just some
    suggestions.
    You may want to look at some freeware tools as well such as: "tripwire"
    and what not. I usually advise against freeware on production/mission
    critical systems
    though..
    Thanks.

    --Justin Richard Bleistein
     AIX Systems Administrator

    Vipin Khushu-Suse <vkhushu@GUERNSEYOP.COM>
    Sent by: IBM AIX Discussion List <aix-l@Princeton.EDU>
    11/09/2005 10:33 AM
    Please respond to
    IBM AIX Discussion List <aix-l@Princeton.EDU>

    To
    aix-l@Princeton.EDU
    cc

    Subject
    Tracking User activity on 4.3.3

    Greetings All:
     
    I'll setting up a new user (other than root) with root authority. And yes,
    the admonition against this practice is duly noted by yours truly.
     
    In order to keep a close watch on things, I need to accomplish the
    following:
     
    1] track and capture in a log(s) everything this user does upon login
    including any attempt to su to another user. The log(s) should preferably
    be stored somewhere other than the user's home directory so that
    any attempt to hide one's tracks is difficult.
     
    2] be alerted when this user logs in. I suppose I can use 'last' for
    that purpose unless there's a more proactive way to know this.
     
    3] Any other strategy you know of that can aid in keeping tabs on the
    activities of this user.
     
    Any documentation you can point me to help gain a better understanding of
    the issues involved is also appreciated.
     
    By the way, the user will login remotely using putty-ssh.
     
    TIA
    VK
     
     
     
     

  • Next message: AIX Geek: "Re: Tracking User activity on 4.3.3"