[Sunhelp] logging

Chanaka Mendis sunhelp at sunhelp.org
Wed Nov 1 00:28:23 CST 2000 

--------------EAFC9A258B05778E6F4B3F06
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dale Ghent wrote:

> On Tue, 31 Oct 2000, Bob C. Ruddy wrote:
>
> |
> | Look at the proccess accounting packages. They will let you know who ran
> | what command, when, and how many resources the command took from the
> | system. Again you will find proceedures on docs.sun.com like previously
> | mentioned.
>
> Yeah, but that's not quite what I was looking for. Process acounting wont
> record one very basic thing... the whole argument string to a
> command. It'll only record argv[0].
>
> Sure, I'll know that user root ran rm at such-and-such time. But what
> file did he rm ?
>
> Simple stuff like that is lacking.
>
> /dale
>
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp

Dale,
you have to edit audit_user, audit_startup and audit_control file.

In audit_startup file put option argv ( New Line)and enable all in other two
files for perticular command that U need to audit.

Then you have to analyse the out put of auditreduce -u <user>|praudit .

/Gayantha


/Gayantha

--------------EAFC9A258B05778E6F4B3F06
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Dale Ghent wrote:
<blockquote TYPE=CITE>On Tue, 31 Oct 2000, Bob C. Ruddy wrote:
<p>|
<br>| Look at the proccess accounting packages. They will let you know
who ran
<br>| what command, when, and how many resources the command took from
the
<br>| system. Again you will find proceedures on docs.sun.com like previously
<br>| mentioned.
<p>Yeah, but that's not quite what I was looking for. Process acounting
wont
<br>record one very basic thing... the whole argument string to a
<br>command. It'll only record argv[0].
<p>Sure, I'll know that user root ran rm at such-and-such time. But what
<br>file did he rm ?
<p>Simple stuff like that is lacking.
<p>/dale
<p>_______________________________________________
<br>SunHELP maillist  -  SunHELP at sunhelp.org
<br><a href="http://www.sunhelp.org/mailman/listinfo/sunhelp">http://www.sunhelp.org/mailman/listinfo/sunhelp</a></blockquote>
Dale,
<br>you have to edit audit_user, audit_startup and audit_control file.
<p>In audit_startup file put option <font color="#FF0000">argv</font> (
New Line)and enable <font color="#FF0000">all</font> in other two files
for perticular command that U need to audit.
<p>Then you have to analyse the out put of auditreduce -u <user>|praudit
.
<p>/Gayantha
<br> 
<p>/Gayantha</html>

--------------EAFC9A258B05778E6F4B3F06--

More information about the SunHELP mailing list