Check executed commands from remote hosts

_dagio · October 6, 2010, 4:12pm

Hello,

Is there any way to check which user and from which IP executed a command to the server.I need something like the history but with information also from which IP the command executed.

Thanks in advance

DGPickett · October 6, 2010, 4:54pm

I think the daemons keep a log, if you are talking about rsh and ssh. Of course, if they:

rsh your_host ksh <script

you just see ksh. Our ssh2 seems to use syslog(), so it is configuration dependent where what gets logged.

_dagio · October 6, 2010, 6:00pm

Hi,

Thanks for your response.Sorry i didn't mention before but i want to see commands executed previous days.
Something like
#list -100 <username>
but with more details.I need to see not only when someone logged in but also what commands the user executed.

DGPickett · October 7, 2010, 12:19pm

Everyone that logs in, every command with user id and time(s)? That's a lot of writing for a modified kernel where exec is logging. I heard of a recovery system where they substituted a custom /lib/libc.* so all apps called their exec*() routines, which logged and then called the real exec*() routines by number using system() (ditto for open, read, write, seek, ... so they could restart processing).

Which IP is a different log of who logs in from where, when on what tty. What do you want to do with things run by cron, at, daemon servers, root and his buddies?

What happens if the log disk fills?

There are stats for command use, but I forget where.

jlliagre · October 7, 2010, 4:38pm

There is no need for a hacked kernel. Much more than what is asked for is already there with Solaris accounting and auditing capabilities.
28.Solaris Auditing (Overview) (System Administration Guide: Security Services) - Sun Microsystems

Should you really want to write a custom solution, a relatively simple dtrace script would do that job.

DGPickett · October 7, 2010, 4:44pm

Yes, I was speaking very generally, and this is the Solaris-speific forum. Does Solaris do all of who from where ran what how many times/seconds?

jim_mcnamara · October 7, 2010, 5:38pm

Yes, it does do that.

>  acctadm -r
process:
extended pid,uid,gid,cpu,time,command,tty,projid,taskid,ancpid,wait-status,zone,flag,memory,mstate
basic    pid,uid,gid,cpu,time,command,tty,flag
task:
extended taskid,projid,cpu,time,host,mstate,anctaskid,zone
basic    taskid,projid,cpu,time
flow:
extended saddr,daddr,sport,dport,proto,dsfield,nbytes,npkts,action,ctime,lseen,projid,uid
basic    saddr,daddr,sport,dport,proto,nbytes,npkts,action

Note the process: extended and task: extended
The display kinda sucks but it is readable.

There are two possible "on" states: extended and basic

_dagio · October 8, 2010, 3:40am

Thank u you guys for your answers.
I assume it more complicated than i thought.
I will look on this

DGPickett · October 8, 2010, 8:14am

I was disappointed that computer programming required file editing. It turns out more up front investment is required to get the benefits, all the way down the line!