[adeel123]

hi,

i have enabled auditing on my AIX machine and its working fine. but i have 1 problem. incase if i view the audit log file i can not identify that user XYZ who did ...... changes was logged in from which tty or pts or what was his ip address.
can any 1 help me tht how can i also add ip feature in audit tht i come to know tht XYZ logged in from 192.168.0.8 and remove the file.

waiting

[john.samons]

Personally I don't use audit, except if it is explicitly required by the customer. It can pose a significant load on the system and to find anything is a mission. It's like looking for a needle in a hey stack!

I created some scripts that gets started automatically when the user logs in or when he su's to another user. Basically I use the 'script' command to log all activities of that user, and I also track his .sh_history. I store my files separately in a file system, i.e. wally.script.date.time.gz. I also store a bit of info from where the user came from etc....

Look into it, maybe it works for you too....

[adeel123]

John can u plz pass on me tht scripts so that ill check.
i m sorry every time i bother you brother but i m bit new in this field so in little problem. .

[john.samons]

Well I can't exactly send you my complete scripts as they are in production use at customers (security) but I can explain how to do it and what I used (in a broad sense)...

You have to install sudo, download it free on the net. Then configure sudo with the visudo command:
visudo - this edits the sudoers file.
add (some of my contents):
User_Alias ROOT_ALLOW_SU=myuser,anotheruser
ROOT_ALLOW_SU ALL = NOPASSWD: /usr/local/bin/suroot

Inside the suroot script you can do some checks to make sure the suscript exists and then execute it. Also add this code to the .profile of the root user, so when he's logged in the script ot executed as well..

Then the suscript, mine is quite long and complex, checking for various things, securing variables, compressing old files etc... but basically it calls:

/usr/bin/script -a $SCRIPTFILE

where scriptfile is your file you choose to keep the history in.


So all actions is logged from the moment any user logs in and when he su's to root.


To su to root then:
sudo suroot


For all those concerned with security, this assumes that the administrator has applied proper security to the system, and that root is secure. The above will provide monitoring as well as a method of giving root access to trusted individuals without giving them the password. If that's not required, remove the suroot permission from sudo. However the 'script' command can still be used to auditing....