Re: Audit trails

Matthew Archibald (matt@plato.West.Sun.COM)
Wed, 27 Nov 1996 07:54:29 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dwight Hubbard: "RE: Signs of an Intruder"
Previous message: -= IDS Moderator =-: "Introductions"
Next in thread: Darren Reed: "Re: Audit trails"

On Sun, 24 Nov 1996, Tim Walding wrote:
> Actually, AIX has quite good auditing features for Unix.  It can include
> quite a bit of detail, including what commands a particular user is using 
> and at what time.  Almost noone uses the entire auditing features because
> it gives too much information and can slow the system response time noticably.

In general I could get all of the log items mentioned in any
Unix variant with accounting for commands, standard syslog
with a few added filters and file open/close info with
C2 features.  (No need to haggle about C2 I am only refering
to the 'C2' functionality 'as shipped' by various vendors and
the Sys-Admins ability to turn the service on for auditing
purposes.

>From Solaris but AIX, HP-UX, Dec-Alpha, Ultrix, FreeBSD etc..
all provide similar functions.

     acct,  acctdisk,  acctdusg,  accton,  acctwtmp,   closewtmp,
     utmp2wtmp   -   overview  of  accounting  and  miscellaneous
     accounting commands

Solaris for instance provides various tools in /usr/lib/acct
for running accounting and follow-up reporting utilities:

acctcms     acctmerg    chargefee   monacct     ptelus.awk  utmp2wtmp
acctcon     accton      ckpacct     nulladm     remove      wtmpfix
acctcon1    acctprc     closewtmp   prctmp      runacct
acctcon2    acctprc1    dodisk      prdaily     shutacct
acctdisk    acctprc2    fwtmp       prtacct     startup
acctdusg    acctwtmp    lastlogin   ptecms.awk  turnacct

For instance:

#ident  "@(#)runacct.sh 1.6     94/12/15 SMI"   /* SVr4.0 1.9   */
#       "nitely accounting shell, should be run from cron (adm) at 4am"
#       "does process, connect, disk, and fee accounting"
#       "prepares command summaries"
#       "shell is restartable and provides reasonable diagnostics"

Example command accounting:
------------------------------
root: ./startup         (Turn it on)
root: ls
acctcms     acctmerg    chargefee   monacct     ptelus.awk  utmp2wtmp
acctcon     accton      ckpacct     nulladm     remove      wtmpfix
root: lastcomm
ls          root     pts/4          0.08 secs Wed Nov 27 07:53
startup     root     pts/4          0.04 secs Wed Nov 27 07:53
rm          root     pts/4          0.07 secs Wed Nov 27 07:53
rm          root     pts/4          0.08 secs Wed Nov 27 07:53
rm          root     pts/4          0.08 secs Wed Nov 27 07:53
turnacct    root     pts/4          0.06 secs Wed Nov 27 07:53
accton   S  root     pts/4          0.14 secs Wed Nov 27 07:53
root: shutacct          (Turn it off)

Next message: Dwight Hubbard: "RE: Signs of an Intruder"
Previous message: -= IDS Moderator =-: "Introductions"
Next in thread: Darren Reed: "Re: Audit trails"