[Sunhelp] logging

Chris Hall sunhelp at sunhelp.org
Wed Nov 1 12:45:13 CST 2000 

        Apologies in advance if this has been addressed already,
 I had came across the same Issue's at one point, and what i did was add
the following to
/etc/.cshrc ( since all of our users primarily only use tcsh / csh )

set history = 100
set savehist = 100

and /etc/.logout

set histd=/var/adm/log/history/$USER
touch $histd
echo "------------------------------" >> $histd
echo `date` >> $histd
echo "-------------------------------" >> $histd
history >> $histd
chmod 700 $histd

   Now you can see this is not fool proof in anyway, ( i.e.: ~/.logout
overrides this ) but it helps and does what i need, this generates Huge
files so i just created a script run from cron that will change the
permissions / owner and backs the files up

[serv] # cat /adm/histro
#!/bin/sh
#
# Rotate History File / Command Tracking
#

LOGDIR=/var/adm/log/
if test -d $LOGDIR
then
cd $LOGDIR
 for LOG in history; do

 test -f $LOG.4.tar.gz && mv $LOG.4.tar.gz $LOG.5.tar.gz
 test -f $LOG.3.tar.gz && mv $LOG.3.tar.gz $LOG.4.tar.gz
 test -f $LOG.2.tar.gz && mv $LOG.2.tar.gz $LOG.3.tar.gz
 test -f $LOG.1.tar.gz && mv $LOG.1.tar.gz $LOG.2.tar.gz
 test -f $LOG.0.tar.gz && mv $LOG.0.tar.gz $LOG.1.tar.gz
 test -d $LOG && mv $LOG $LOG.0 && tar -cvf $LOG.0.tar $LOG.0 ;
/usr/local/bin/gzip $LOG.0.tar ; rm -rf $LOG.0

       mkdir $LOG
       chmod 777 $LOG

      done
  fi

   as i said this is not fool proof, but it was simple and does what i
needed, hope this helps.
Chris H.



Date: Tue, 31 Oct 2000 14:08:37 -0500 (EST)
From: Dale Ghent <daleg at elemental.org>
To: sunhelp at sunhelp.org
Subject: Re: [Sunhelp] logging
Reply-To: sunhelp at sunhelp.org

On Tue, 31 Oct 2000, Magnus Abrante wrote:

| What more exactly do you want to log? Just commands?

Well, full command lines (ie, all arguments). Like in the example I gave

earlier, I'd like to know what the user did with the command. If root
ran
"vi /etc/passwd", I'd like to see that whole command line logged, rather

than just "vi" as it is now.

The process accounting functionality, to me, has always been geared
towards the performance/resource monitoring of a particular server. I'm
interested in using it for two different reasons: Security monitoring,
and
user accountability.

c2audit does this, but only for processes parented by init and for users

logged in on /dev/console... not for users using ptys.

/dale
--
  "We've heard that a million monkeys at a million keyboards could
produce
 the Complete Works of Shakespeare; now, thanks to the Internet,
 we know this is not true."
           --Robert Wilensky, University of California

More information about the SunHELP mailing list