From: Binkley Robert - rbinkl (Robert.Binkley@acxiom.com)
Date: Thu Jul 17 2003 - 12:36:46 EDT
Thanks to everyone that replied::
-----Original Message-----
From: Binkley Robert - rbinkl [mailto:Robert.Binkley@acxiom.com]
Sent: Thursday, July 17, 2003 11:00 AM
To: Hpux-Admin (E-mail)
Subject: [HPADM] Security Tracking
Hello Admins
I have been given a task , on monitoring one of out credit customers
boxes.
The problem I am faced with is that, The customer wanted to know if there
is a way to track each users .sh_history for rmdir or rm* or rm -rf and log
the information in a file.
---------------------------------------------------------------------
**********************************************************************
The information contained in this communication is
confidential, is intended only for the use of the recipient
named above, and may be legally privileged.
If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly
prohibited.
If you have received this communication in error,
please re-send this communication to the sender and
delete the original message or any copy of it from your
computer system. Thank You.
attached mail follows:
Robert:
One way would be to create a script that executes as root. It can look at
each .sh_history file for every user listed in /etc/passwd and grep for
'rm'.
Here's a quick example:
#!/usr/bin/ksh
#
# sh_hist_check
#
# Look at each user in /etc/passwd.
while read LINE;do
USER=$(awk -F: '{print $1}')
HOMEDIR=$(awk -F: '{print $7}'
# Does .sh_history exist in the user's home directory? If so,
grep for all occurrences of rm and
# store information in file
if [ -f $HOMEDIR/.sh_history ];then
echo "\nUser: $USER" >> /tmp/outfile
grep -w 'rm' $HOMEDIR/.sh_history >> /tmp/outfile
fi
done < /etc/passwd
exit
Of course this can be modified as needed.
I hope this helps,
Steve Illgen
UNIX Systems Administrator
Cracker Barrel Old Country Store, Inc.
"Pass the Biscuits, Please!"
-----Original Message-----
From: Binkley Robert - rbinkl [mailto:Robert.Binkley@acxiom.com]
Sent: Thursday, July 17, 2003 11:00 AM
To: Hpux-Admin (E-mail)
Subject: [HPADM] Security Tracking
Hello Admins
I have been given a task , on monitoring one of out credit customers
boxes.
The problem I am faced with is that, The customer wanted to know if there
is a way to track each users .sh_history for rmdir or rm* or rm -rf and log
the information in a file.
---------------------------------------------------------------------
**********************************************************************
The information contained in this communication is
confidential, is intended only for the use of the recipient
named above, and may be legally privileged.
If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly
prohibited.
If you have received this communication in error,
please re-send this communication to the sender and
delete the original message or any copy of it from your
computer system. Thank You.
attached mail follows:
Robert:
Yes there is.
Set up all users .profile, or you may be able to do this in /etc/profie, to
:
export HISTFILE=/tmp/.sh_history.$LOGNAME.$$
Then you have a file in /tmp/ (or somewhere else if you want it somewhere
else) that you can check.
Then you have to clean these up, so they don't fill up the disk.
Create a cron job:
find /tmp/ . -name "*.sh_history*" -atime +10 exec rm {} \;
to remove them
Stuart
Stuart Abramson | Off: 412/825-1434 | Cell: 412/417-1567 | email:
sabramson@wabtec.com
-----Original Message-----
From: Binkley Robert - rbinkl [mailto:Robert.Binkley@acxiom.com]
Sent: Thursday, July 17, 2003 12:00 PM
To: Hpux-Admin (E-mail)
Subject: [HPADM] Security Tracking
Hello Admins
I have been given a task , on monitoring one of out credit customers
boxes.
The problem I am faced with is that, The customer wanted to know if there
is a way to track each users .sh_history for rmdir or rm* or rm -rf and log
the information in a file.
---------------------------------------------------------------------
**********************************************************************
The information contained in this communication is
confidential, is intended only for the use of the recipient
named above, and may be legally privileged.
If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly
prohibited.
If you have received this communication in error,
please re-send this communication to the sender and
delete the original message or any copy of it from your
computer system. Thank You.
***** CONFIDENTIALITY NOTE *****
The content contained in this e-mail transmission is legally privileged and
confidential information intended only for the use of the individual or
entity named herein. If the reader of this transmission is not the intended
recipient, you are hereby notified that any dissemination, distribution, or
copying of this transmission is strictly prohibited.
-- ---> Please post QUESTIONS and SUMMARIES only!! <--- To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only) http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:31 EDT