User activity Log in RHEL 5.2

it_guy · 04-27-2011, 12:10 AM

Hi,
Is there any way to view the any user activity/ commands history and date,time in the system?
I look at the /var/log/secure but I can find only the login/ logout attempts and "history" command doesn't come with date/time that the user issue the commands. Any there any best practice to audit the user activities inside the system ? Pls. advise.

EricTRA · 04-27-2011, 12:41 AM

Hello,

By default the history log doesn't save date and time information but you can configure it to do so. Have a look at this site, it explains how to configure it. There's a lot of information about auditing in RHEL on the internet, do a search for 'auditd RHEL' and you'll get tons of resources. One of them that explains it in easy terminology and that gives you the basics to get started is this one.

Kind regards,

Eric

it_guy · 04-27-2011, 01:51 AM

Hi EricTRA,
Really appreciate your info. I managed to do it. But only the last 200+ ( for 1 page only )command only seen. If I want to see from command start day 1 to last command , how would I able to configure it accordingly? And I can't use " | more " parameter in order to see page by page from day 1 to last command. Pls. advise. Thanks a lot.

it_guy · 04-27-2011, 01:58 AM

Hi EricTRA,
Really appreciate your info. I managed to do it. But only the last 200+ ( for 1 page only )command only seen. If I want to see from command start day 1 to last command , how would I able to configure it accordingly? And I can't use " | more " parameter in order to see page by page from day 1 to last command. Pls. advise. Thanks a lot.

micxz · 04-27-2011, 02:07 AM

This is a cool info:
http://mywiki.wooledge.org/BashFAQ/088
http://www.debian-administration.org/articles/543

EricTRA · 04-27-2011, 02:13 AM

Quote:

Originally Posted by it_guy

Hi EricTRA,
Really appreciate your info. I managed to do it. But only the last 200+ ( for 1 page only )command only seen. If I want to see from command start day 1 to last command , how would I able to configure it accordingly? And I can't use " | more " parameter in order to see page by page from day 1 to last command. Pls. advise. Thanks a lot.

Hello,

You're welcome. I assume you're referring to the history. Have a look at this site on what settings you can change. Normally your history, when using the default settings, would only keep something like the last 500 commands, including duplicates. So if you want to keep track of a longer period (more commands) you'll have to configure it as indicated in the site I pointed to (and also the one pointed out by micxz. If you want to see history from day one as you state then you're out of luck. If not in the history then you can forget that I'm afraid.

Kind regards,

Eric

it_guy · 04-29-2011, 12:54 AM

Hi Eric and micxz,
Thanks for your quite helpful information and I was exploring these days and utilize for my job.But I am wondering where I am able to view the "rcp" file transfering attempts from server "A" to my server "B" inside /var/log/ . So far I cannot find any of the /var/log/messages and /var/log/secure logs . And am I able to view the successful and fail "rcp" file transfer attempts to my sever log file ? Pls. advise.

Thanks,

EricTRA · 04-29-2011, 01:15 AM

Hello,

I've never worked with rcp to copy files from one server to another, I always use scp which is a lot more secure I believe. But I've found this on the internet that might be helpful:

Quote:

Look in the .rhost files in ~user home directories and /etc/auth.conf

Kind regards,

Eric

it_guy · 04-29-2011, 03:58 AM

Hi,
Thanks. But for project requirement and offline usage , we need to use "rcp" command instead of "scp". Do you have any idea where should I configure the time out setting for "rcp"?

unSpawn · 05-05-2011, 05:47 AM

Since this thread was referenced elsewhere and because of some of the replies I would like to restore Balance to the Force and add a few posts for meditation. Unless BaSH changed the history list is only active during interactive shells and as catkin remarks shell history is a user convenience, not an audit tool. Here's a short overview of standard accounting features, auditing options and considerations. Also see this, and another overview and for completeness sake pam_tty_audit and an example of Auditd executable logging

In closing some logging examples FWIW:
- Rootsh: http://www.linuxquestions.org/questi...7/#post2980353
- FUSE LoggedFS: http://www.linuxquestions.org/questi...5/#post4001946
- pam_tty_audit.so a slightly doctored output of /etc/pam.d/login with "session required pam_tty_audit.so disable=* enable=root" set (left) and without (right) showing a root login on TTY1, running 'ps' and logging out:

Code:

~]$ diff -y auditlog_secure_pam_tty_audit auditlog_secure_NO_pam_tty_audit -W 260
==> /var/log/audit/audit.log <==                                                                                                ==> /var/log/audit/audit.log <==
node= type=USER_AUTH msg=audit(..): user pid=5784 msg='PAM: authentication acct="root" : exe="/bin/login" (hostname=?, addr=? | node= type=USER_AUTH msg=audit(..): user pid=5831 msg='PAM: authentication acct="root" : exe="/bin/login" (hostname=?, addr=?
node= type=USER_ACCT msg=audit(..): user pid=5784 msg='PAM: accounting acct="root" : exe="/bin/login" (hostname=?, addr=?, te | node= type=USER_ACCT msg=audit(..): user pid=5831 msg='PAM: accounting acct="root" : exe="/bin/login" (hostname=?, addr=?, te
node= type=LOGIN msg=audit(..): login pid=5784 old ses= new ses=85                                                            | node= type=LOGIN msg=audit(..): login pid=5831 old ses= new ses=88
node= type=USER_ROLE_CHANGE msg=audit(..): user pid=5784 msg='pam: default-context=root:system_r:unconfined_t:s0-s0:c0.c1023  | node= type=USER_ROLE_CHANGE msg=audit(..): user pid=5831 msg='pam: default-context=root:system_r:unconfined_t:s0-s0:c0.c1023 
node= type=USER_START msg=audit(..): user pid=5784 msg='PAM: session open acct="root" : exe="/bin/login" (hostname=?, addr=?, | node= type=USER_START msg=audit(..): user pid=5831 msg='PAM: session open acct="root" : exe="/bin/login" (hostname=?, addr=?,
node= type=CRED_ACQ msg=audit(..): user pid=5784 msg='PAM: setcred acct="root" : exe="/bin/login" (hostname=?, addr=?, termin | node= type=CRED_ACQ msg=audit(..): user pid=5831 msg='PAM: setcred acct="root" : exe="/bin/login" (hostname=?, addr=?, termin
node= type=USER_LOGIN msg=audit(..): user pid=5784 msg='op=login id=0 exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res | node= type=USER_LOGIN msg=audit(..): user pid=5831 msg='op=login id=0 exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res
node= type=TTY msg=audit(..): tty pid=5791 uid=0 auid=0 major=4 minor=1 comm="bash" data=70730D                               <
node= type=USER_TTY msg=audit(..): user pid=5791 uid=0 auid=0 msg="ps"                                                        <
node= type=TTY msg=audit(..): tty pid=5791 uid=0 auid=0 major=4 minor=1 comm="bash" data=04                                   <
node= type=CRED_DISP msg=audit(..): user pid=5784 msg='PAM: setcred acct="root" : exe="/bin/login" (hostname=?, addr=?, termi | node= type=CRED_DISP msg=audit(..): user pid=5831 msg='PAM: setcred acct="root" : exe="/bin/login" (hostname=?, addr=?, termi
node= type=USER_END msg=audit(..): user pid=5784 msg='PAM: session close acct="root" : exe="/bin/login" (hostname=?, addr=?,  | node= type=USER_END msg=audit(..): user pid=5831 msg='PAM: session close acct="root" : exe="/bin/login" (hostname=?, addr=?,