AIX: How to find down who enter a command?

bobochacha29 · July 5, 2014, 5:56am

Hi

I'm working on AIX.

My question: for example, I'm logging in. I enter command "last" and then I know there are 3 people logging in from 3 different IP at the same time, 2 are in the same account. Then someone enters a command.

Is there any way to know exactly who ( which IP ) enters that command ?

Thank for read ( my English is not good )

vbe · July 5, 2014, 7:38am

no, not that I can think of simple, but you have the possibility to create a history file per logging which could achieve the history part, but you will be in the same situation if both users typed same command at one time because in .sh_history there is kept only the history of what one typed not the time...

MadeInGermany · July 6, 2014, 2:05am

who or who -u
should also show who is logged in.
If the user's command is still running, then ps -ef or ps -fp pid shows a terminal (tty or pty) that you can match with the one from who or last .

bakunin · July 6, 2014, 6:22am

The answer is a bit complex as we are (probably) talking about two different scenarios:

1) You want to know who of the persons logged in right now is executing a certain command in the moment you are looking at it. This is not possible out of the box, but can perhaps be done with a little scripting effort. There is a list of currently running processes (you can see this list using the "ps" command) and if a user is running a process right now you will see it in this list and you will be able to attribute it to a certain user by analysing the "PPID" (parent process ID).

To implement this there is relatively little effort needed, but it will be limited to processes started during the time you monitor. It will not tell you which command has been issued (or who did it) one hour before you started your monitoring.

In addition, this method will be very taxing on the system and in practice will probably not be feasible.

2) You want the same as above, but also for "historical" data. It is no longer possible to do it by monitoring the process list, because once a process ends it will not be remembered there.

Fortunately there is another way you can do that: every command is - technically speaking - a process which is started by some parent process. For normal commands this parent process is the shell the user types the command into. To open a new process from a parent process there are only a few select system functions which do this: fork() and - ultimately - the exec() -family.

It is possible to intercept this call and write a log about executed exec()-system calls. Because every log on a system could be manipulated bya root-user it will be necessary to store this log on a remote location where the root user of the system has no root authority any more. One can do that by using the syslog -facility.

In fact there exists such a program, it is called "snoopylogger" and you can download it from source forge. I have tried to use it on AIX a few years ago and failed, but it worked well on CentOS/RedHat. It may be working on AIX too by now. You will have to try it.

I hope this helps.

bakunin

bobochacha29 · July 10, 2014, 12:00am

I can get the ppid of the processs, but how to get the detail informations from that ppid. For example, I know process's user is "guest", process's PPID is 1000000, but there are both 2 people using user "guest" from 2 diferent IP. So how to know which people ( IP ) begin the process ??

bakunin · July 10, 2014, 2:21am

With the PPID and the PID you can reconstruct "trees" of processes. Here is an example: a user types "ls" on the commandline. The following has happened:

The "login"-process has started a login-shell for that user. Because this shell is attached to a (maybe virtual) terminal you can distinguish separate sessions of the same user. They will differ in the terminal they use. This shell now starts another process, "ls".

Searching the process list for the user will give you some entries including the "ls" process. Read the PPID field and search the list again for a process having this process number in the PID field. This is the process which has started the "ls"-process - the shell it was started from. With the process information from this shell you find out which session of the user originated the process.

I hope this helps.

bakunin

bobochacha29 · July 10, 2014, 5:17am

Get it :D:D:D

Thanks a lot

MadeInGermany · July 10, 2014, 10:04am

term=`ps -fp 1000000 | awk '{t=$6} END {print t}'`
who -u | grep -w $term

bobochacha29 · July 10, 2014, 11:05am

bakunin:

With the PPID and the PID you can reconstruct "trees" of processes. Here is an example: a user types "ls" on the commandline. The following has happened:

The "login"-process has started a login-shell for that user. Because this shell is attached to a (maybe virtual) terminal you can distinguish separate sessions of the same user. They will differ in the terminal they use. This shell now starts another process, "ls".

Searching the process list for the user will give you some entries including the "ls" process. Read the PPID field and search the list again for a process having this process number in the PID field. This is the process which has started the "ls"-process - the shell it was started from. With the process information from this shell you find out which session of the user originated the process.

I hope this helps.

bakunin

Done :D:D:D
Thanks a lot :):)

pave01 · July 10, 2014, 6:37pm

what about auditing and its logs? I would use auditing records and would regulary map IPs of coming sessions with its PIDs (lsof) ... then compare autid PID actions with lsof records to get answer who has done what (base of knowledge of mapping users to IPs)