Hello All
I would to know how to find the historique of some commandes (telnet, rm , grep ....) Under AIX
thank for all
Try the fc command. Do a man fc to find out more.
... but what if 'the user' modify or just delete history file ? :o
How your shell history is kept depends upon your shell (sh, csh, ksh, etc.). You are probably using Korn shell, which defaults to using .sh_history in the user's home directory to store a history in. You can change this by setting HISTFILE in your .profile. I would recommend setting the following in /etc/profile:
USER=`/usr/bin/who am i | /bin/cut -d' ' -f 1`
MYTTY=`/usr/bin/tty`
BASETTY=`/bin/basename ${MYTTY}`
HISTFILE=${HOME}/.hist.${USER}.${BASETTY}
export readonly HISTFILE
HISTORY=100000
export readonly HISTORY
A lot of books espouse using $$, your PID. This is dumb. You get a separate shell history per login, but you create a boatload of files that never get reused. These self same books will tell you to do something stupid like create a cron job to delete any of these that are more than 3 days old. 3 days! Try 6 months! With the above, as you only have one (pseudo) terminal for each login session, each login session will get their own history. However, you will reuse the ttys, so you will reuse the history files. If HISTORY is large enough, however, you'll go back far enough. You can, however, trace back who had which tty when via the "last" command. There is no way to historically trace the PID. If you don't want to reuse the history files, add the date:
DATE=`/bin/date "+%Y%m%d.%H%M"`
I would put it between .hist and ${USER}. The ${USER} part may seem superflous, but if you have some account used by multiple users (like say "oracle"), then this allows you to see who did what. Because you take the username off of "who", you see their name before they su'ed (and of course you are going to set RLOGIN to "no" for a user like oracle so that users are forced to login as themselves and then su to the account, so that you have a paper trail to follow).
If we are talking about some derviative of C shell (csh), you have to put something in the user's .cshrc file (.login will not due) like:
set history = 100000
set savehist = 100000
Actually the first one is how many history command to show when they type "history", so that you might make smaller. No way to make it read-only. No way to set the file's name, it saves in $HOME/.history (like it or not). Furthermore, ksh writes to the history as it goes. csh writes to .history when it exits. Login into two windows, exit out of window A, exit out of window B - the history saved by window A gets overwritten and is lost; only the history of window B gets saved. For this reason, if history is important to you, csh is not your first choice.
Bourne shell doesn't do history at all.
The catch 22 is, if users can write to their history files, users can trash their own history files. Nothing you can do about that (other than say frequent backups).
THank you
And what about history of remote connection ,telnet for exemple
where i can find this informations ??
If you are on computer "A" and you telnet into computer "B", then when you login to computer "B", the shell there will record what you have done. Nothing on computer "A" will be record what commands were issued in the telnet session (which is what I think you are looking for).
If you have used the values for HISTFILE that I recommended (particularly if you add the date), then on compuer "B", you can see the pseudo terminal, and you can use "last" to determine where the user logged in from. You could then use "last" on computer "A" to see who was logged in at that time and go search through their shell histories.
This isn't perfect.
I suppose perhaps you could use "script" to record all input/output of a user session into a file. It's not really made for this sort of thing; putting it in a .profile may get you into an infinate loop. "script" will fire off a shell and when that shell exists, any input/output from that shell gets recorded in a file (defaults to "transcript", but you can pass an argument to write to some other file). Because script fires off shell, if you put it into a .profile, you could fire off a shell that fires off a shell that fires off a shell... infinite loop.
"script" seems to have the level of logging you want, but how to make it work (and how to force users to use it).
I suppose you could packet sniff, say with tcpdump. In next to no time, you'll have a huge file to pick through. I think this would only be practical if you were to target specific users you are suspicous of, etc.
Good evening
I Want to know the IP Address of all machine wich are connected to my server, In UNIX SCO i use "Finger" commande but in AIX I don't know what i can do because finger dont give me IP address
thanks all
Finger is available in AIX. If they are currently logged in mutliple times, you'll see multiple instances, in the output, and it will show where they are logged in from. This information is coming from (I'm pretty sure) the wtmp file, the file you read with 'last',
so 'last' will get you the same information, not only on current users, but on previous logins.
I get the feeling, however, this isn't really what you want either.
In Solaris, you can run inetd with a "-t" (trace) option. In AIX (I've never done this) there is a "-d" option which appears to be similar. Solaris's -t will log every single connection that is made to any port that inetd is listening to (logs to syslog). This would show you even attempts that are aborted (i.e. someone telnet's and then exits out of the telnet command before even attempting to login, etc.). This would log everything that goes through inetd, not just telnets and rlogins.
There isn't a good way, however, to connect the output of inetd's with other things like shell histories.
I suppose, alternatively, you could do a netstat periodically and save it to a file. It would be a mess to pick through. Typically, ports when they close go into a FIN_WAIT status for like 5 minutes, so every 5 minutes or so should work.
have you tried the "who" command? i think that should give you a list of who's logged in and from where. if you need a history of logged in users, that information is carried in /var/adm/wtmp.
wtmp, however, isn't a normal text file. to view the formatted data you can use (once again) the 'who' command. for example... "who /var/adm/wtmp". you may wanna pipe this to "more" since it can get quite long at times. 
Hello men
Thank you for you Both : scatter Brain and Garry Garrett you are Masters
I wante to know more If you can send me more informations but in littele amount Thank you verry verry much men
Thank you
Good morning all
I want to know more from : var/adm/wtmp File, Informations wich it contents
, And way to exploit it
And more infomations
Thanks