Command Tracking

Hi,

OS: Solaris9, SPARC

Is there any way I can track the commands run by users from the shell prompt?

Example:
Somebody is deleting files from the system. Who it is is a mystery. That person obviously does not use bash prompt so there is no history. Is there anyway I can find out who is doing it by recording the user commands some where. Is this already done in Solaris?

Regd,
M...

this is one possible idea/suggestion,

have a stealth wrapper to your /usr/bin/rm and /usr/sbin/unlink commands

stealth wrapper.
when the commands rm or unlink is executed first the wrapper which contains the underlying base command would be executed.
With that you can log the userid, file being deleted, time of deletion.

its actually you are wrapper script executed first upon invoking rm or unlink system calls. Then the wrapper in turn executes the required command.

This should give you a clue/option to proceed.

Yeah, there is a way to do that: convert your system into 'trusted' one, look at man pages for bsmconv and google about how it works, there is also a good and funny tool called ttysnoop (if im not mistaken) which sniff/display user command in realtime ... but never tried both :o
Or
hack the shell ... well if u dare :smiley:

Thanks for the replies, both-of-you.

I will try them and get back.

So Matrixmadhan; Your suggestion is that I create wrapper files (say shell scripts) called 'rm' and 'unlink' which inturn contains the rm and unlink commands with a logger?

M...

Hi,
There is a command called script which will record all the commanda a user executes.Put this command in the glabal .profile so that each users commands are recorded.
NOTE:
script command saves all dialog in file. If no
file name is given, the typescript is saved in the file typescript.

So pass teh argumnet to script coammnd as a file name created based on user id say

script -a
script logfile.${USERNAME}

This will append all commands to ths logfile.Not sure where the file gets created. Pls see the man page for the same.

Thanks.

the file gets created in the directory from you execute the command,
if it is getting executed from your profile then it is obviously the user's home directory.

But you have some subtle points to be noted when using script command.
a) the file gets created in the home directory so the user has an option of corrupting the file anytime
one way of handling this is use script -a <path>
where files are continously taken backup from the path
b) script command is implemented using pseudo master-terminal system so you are not working on the teletype granted to you by login program; you have the control on the line you are working, so one who is playing with that can easily identify from tty and ps -ef | grep login commands whether he is working on a abstraction of script command or in plain teletype line
c) you need to execute exit command twice to logout; that gives a hint to be careful the next time the user logs in

these are the things you need to consider when you are using script command to track.