Hi
We are sharing our envoirnment with our component teams. the plateform is SunOS 5.8 Generic_117350-41 sun4u sparc SUNW,Sun-Fire-V490.
All team logs in the domain with same user and perform activities.
Now for the system auditing purpose can somebody guide me how can I get the details when a user fired a particular command and from which IP. Like if somebody fires a command rm <filename> I want to see the date when command was fired, username who fired the command and the IP address of the system who fired the command so that I can hunt him down. I google a lot on this subject and on some webpage it was suggested that Solaris logging can be enable for a user. But hoe\w I can be done I was not able to get. Can somebody please help me here. I have root access on this machine.
Regards
Sukhvinder Singh
We'll set aside the usual rant that should incur for the sake of getting to the useful bit right away, just just take it as given that I don't approve of shared accounts for an initial connection to a server 
Give the users their own personal login, then grant them rights to switch to the user they all use for the various activities they need to do - that way you have an ID associated with each session.
Then, to get more detail than just "user blah became root at timeX" you could turn on Solaris Auditing (aka BSM).
Without that, about the best you can do is see which IP address was connected during the time the command you are attempting to trace occurred. That's often insufficient if there are a lot of users on.
Well the same thing we are doing as you have suggested. We have provided them a login id. after than they switch to root and then to our user as there user is not permitted to change in our directory and then they do the changes.
I can get the details of this from sulogs but I want to know what commands they fired after they switched with time and date as history command is not showing these details.
History is very easily modified my the user anyway so isn't really useful.
If you already have an audit trail of their arrival and the associated pty, then it's just a matter of using BSM / Audit to track what they do from there. There's _heaps_ of info available on Solaris' audit daemon, along with a number of tools (free or licensed) to interpret the screeds of data you get from it
As an alternative, you could identify the exact commands the user needs and just grant sudo rights to those commands as the target user only. Then it's logged and a lot safer too.
Smiling Dragon
Can you please let me know how can I use BSM/Audit Track to hunt down the culprit IP address. Also let me know any free tool avaialble to keep an eye on a operater using the shared login username operating from a terminal. I want to get commands fired by each user operating from different machines but using same username (simply because we operate as a team).
Regards
Sukhvinder Singh
Tech Mahindra Ltd.
you have to create the /var/adm/loginlog file to log users connection. this should have been done during the OS hardening (/var/log/syslog.conf). each user's .bash_history file logs the history of commands executed. whenever a user logs in, use the script command to record the actities to a file.
For eg. try this so that you can see.
Login to system
type:-
cd /
script /tmp/rec_cmds
do whatever you want , useradd , del file, housekeep or run scripts etc
crtl+D
cat /tmp/rec_cmds <-- shows you what had just happened
As previously stated, you use BSM/audit to track what they do on the system, not track down the IP.
But you can associate the IP to the pty then associate the actions with that pty.
BSM is a Solaris builtin that can be enabled to log whatever info you wish, right down to the system calls.