tracking user action

xitrum · September 5, 2006, 11:08am

Hi,

we are using solaris8. we have some files disappear. I would like to know how to track who and when the files was remove ???
thanks,

System_Shock · September 5, 2006, 12:37pm

You could start with users' shell histories.

xitrum · September 5, 2006, 2:46pm

Hi,

We have an oracle account and share among admin.
each of us login as individual name, then su - oracle.
Therefore it is hard to know who deleted the files.
Where can I set the history file with more detail of ip address login or time of files was removed.

thanks,

System_Shock · September 5, 2006, 4:18pm

Couple things you could do:

You could set an environment that keeps separate shell histories for any user that su's to oracle. Ex: make user oracle's shell ksh, then make .profile writable to root only. In .profile, set HISTFILE to something like .sh_history.$USER. You can script the retrieval of the user name or, something I saw implemented before, you give the users a code they need to enter, which will match their usernames.

You could make the oracle account accessible to only one user at the time. Same deal, whatever .profile or .bashrc, you make writable to root only. Inside, script a check to see if anyone is already su'd to oracle. If so, kill the session. Then you can simply use sulog and the oracle user's shell history.

blowtorch · September 5, 2006, 9:07pm

If you are going to set the .profile ownerships to root, then make sure that you make the oracle home directory root owned, or else anyone can do whatever they want to the file.

A better idea would be to have some sort of rootlogger script using the 'script' command or using one of the many commercially available logging software.

Andrek · September 12, 2006, 9:37pm

Sounds like you have a problem with users, and privileged user accounts. ie oracle

You could try one of two or both... methods....you should look into the possibilities to see if they suit your needs first as they are only suggestions.

You need to get control over the �su� command. Basically stop users �su�ing to privileged accounts.

Modify the /etc/profile (Global system file) to run a script that checks to see if the user requesting to �su� to the privileged account is allowed to...
(I have done this and its dead easy....Only hassle is that the /etc/profile is over written every time you upgrade the OS. Hence you need to replace the code. I used a one liner to over come this.) I may still have the scripts handy, I did it about 5 years ago.. at one site and it really did the trick.

Install �sudo� and you can start to control who can run what command. And sudo has a log file.

Sudo is available on the net, and there's heaps of info as well.

Incorporate the command checking as outlined in the previous replies posted above.

ghostdog74 · September 12, 2006, 11:28pm

best of all, turn on BSM auditing...but do some research first before using.

auditd · March 7, 2007, 3:48pm

As ghostdog74 said, you should enable Solaris auditing (formerly known as BSM). The audit class you want to assign is fd, which stands for file deletions.

It will generate an audit trail for all file deletions on your system.

See this page for more information.