Hi there
im trying to establish a way to monitor when users login to an HPUX box 
via the console.
console login is required occasionaly when other access routes have 
failed ie the network.

On Solaris an entry is automaticly sent to syslog from the port monitor 
process.

is there a way to get HPUX 11.xx without additional products to log 
console logins to syslog or another cleartext file, that could be read 
with a log monitoring system such as tivoli or ITO so that unnessasary 
console logins can be detected and reported.
regards peter

last | grep console

Papa Piquillo wrote:
> last | grep console
> 
yes great, you must think im a newby or something.  :-)
What i want in common with Linux and Solaris is console logins to
written to a file as a warning ie syslog, or loginlog rather than stored
in a binary file that sysadmins chop each time they want to save a bit 
of space.
Logins on the console are very difficult to attribute to a person. At 
least network logins can be bared from root login and force people to 
login as themselves and switch user, but root login at the console is
usually a requirement to be enabled, in case the system falters and 
needs to be bought up in single user.
You could force people to login as themselves to the console and switch 
user but not much use in a nis/ldap setup.
then a second generic account could be used ie admin, but its still a 
shared account and you dont know who is using it at anyone time.
therefore being alerted when someone uses the console is a good way of
watching out for inappropriate use.
So with that in mind anyone know how to enable such a basic feature on
HPUX 11.xx
regards peter

peter <peter_news3@ossi.co.uk> wrote:
> Papa Piquillo wrote:
> > last | grep console
> > 
> yes great, you must think im a newby or something.  :-)
> What i want in common with Linux and Solaris is console logins to
> written to a file as a warning ie syslog, or loginlog rather than stored
> in a binary file that sysadmins chop each time they want to save a bit 
> of space.

  Not terribly efficient or elegant, but what about "tail -f" and fwtmp?

> Logins on the console are very difficult to attribute to a person. At 
> least network logins can be bared from root login and force people to 
> login as themselves and switch user, but root login at the console is
> usually a requirement to be enabled, in case the system falters and 
> needs to be bought up in single user.

  Single-user boot is not a login, so you can use /etc/securetty also
for the console.

> You could force people to login as themselves to the console and switch 
> user but not much use in a nis/ldap setup.

  What do you mean by that? It seems to conflict with what you say
above.

> then a second generic account could be used ie admin, but its still a 
> shared account and you dont know who is using it at anyone time.
> therefore being alerted when someone uses the console is a good way of
> watching out for inappropriate use.
> So with that in mind anyone know how to enable such a basic feature on
> HPUX 11.xx
> regards peter

Frank Slootweg wrote:
> peter <peter_news3@ossi.co.uk> wrote:
>> Papa Piquillo wrote:
>>> last | grep console
>>>
>> yes great, you must think im a newby or something.  :-)
>> What i want in common with Linux and Solaris is console logins to
>> written to a file as a warning ie syslog, or loginlog rather than stored
>> in a binary file that sysadmins chop each time they want to save a bit 
>> of space.
> 
>   Not terribly efficient or elegant, but what about "tail -f" and fwtmp?
> 
>> Logins on the console are very difficult to attribute to a person. At 
>> least network logins can be bared from root login and force people to 
>> login as themselves and switch user, but root login at the console is
>> usually a requirement to be enabled, in case the system falters and 
>> needs to be bought up in single user.
> 
>   Single-user boot is not a login, so you can use /etc/securetty also
> for the console.
> 
>> You could force people to login as themselves to the console and switch 
>> user but not much use in a nis/ldap setup.
> 
>   What do you mean by that? It seems to conflict with what you say
> above.
> 
>> then a second generic account could be used ie admin, but its still a 
>> shared account and you dont know who is using it at anyone time.
>> therefore being alerted when someone uses the console is a good way of
>> watching out for inappropriate use.
>> So with that in mind anyone know how to enable such a basic feature on
>> HPUX 11.xx
>> regards peter

Thanks frank for your reply.
maybe if i put it another way.

When a system is running normally there is no reason for people to login 
via the console, as the network is a more convenient way to access a 
system.
users only know their own account details, ie username/password
the use of root or other admin accounts are carefully controlled

so if a user does not have access to the root password and they are an 
administrator they can user sudu, or powerbroker or Boks or other access 
control systems to gain access to the root account.

In this way we have a reasonably good method to track when they login 
and who they switch user to when needed.

we also need to allow root access via the console so that when a system 
looses its network, or someone screws up and needs access to the console 
its there, however under the default HPUX there's no easy way to be 
alerted when someone uses it.

we can alert when someone logs in over the network as ssh and logs 
directly in as root, but they can login via the console without 
generating any monitored event. (im referring to Tivoli or Openview here.)

Solaris and Linux log this event without any further configuration, but 
with HP and AIX for that matter they dont at the moment.

what im trying to find out from those more in tune with HPUX (Im more in 
tune with Solaris and Linux) how to switch on such a basic function.

regards peter

peter wrote:
> Hi there
> im trying to establish a way to monitor when users login to an HPUX box 
> via the console.
> console login is required occasionaly when other access routes have 
> failed ie the network.
> 
> On Solaris an entry is automaticly sent to syslog from the port monitor 
> process.
> 
> is there a way to get HPUX 11.xx without additional products to log 
> console logins to syslog or another cleartext file, that could be read 
> with a log monitoring system such as tivoli or ITO so that unnessasary 
> console logins can be detected and reported.
> regards peter
There is no built-in functionality to achieve this other than enabling 
auditing and setting up a log of what out want.

I would suggest rather a little hack to /etc/profile which will populate 
syslog.log such as:

if [ `tty` = "/dev/console" ] && [ `id -un` = "root" ]
then
logger "$$ $(who am I -R | awk '{ printf "login on %s %s\n",$2,$6}')"
fi

Kirk Gardner wrote:
> peter wrote:
>> Hi there
>> im trying to establish a way to monitor when users login to an HPUX 
>> box via the console.
>> console login is required occasionaly when other access routes have 
>> failed ie the network.
>>
>> On Solaris an entry is automaticly sent to syslog from the port 
>> monitor process.
>>
>> is there a way to get HPUX 11.xx without additional products to log 
>> console logins to syslog or another cleartext file, that could be read 
>> with a log monitoring system such as tivoli or ITO so that unnessasary 
>> console logins can be detected and reported.
>> regards peter
> There is no built-in functionality to achieve this other than enabling 
> auditing and setting up a log of what out want.
> 
> I would suggest rather a little hack to /etc/profile which will populate 
> syslog.log such as:
> 
> if [ `tty` = "/dev/console" ] && [ `id -un` = "root" ]
> then
> logger "$$ $(who am I -R | awk '{ printf "login on %s %s\n",$2,$6}')"
> fi
thanks kirk, thats not a bad solution at all, ill go with that for the mo.
ps any of you guys have hp contracts, can you ask hp to improve their 
basic logging
regards peter

peter wrote:
> Kirk Gardner wrote:
> 
>> peter wrote:
>>
>>> Hi there
>>> im trying to establish a way to monitor when users login to an HPUX 
>>> box via the console.
>>> console login is required occasionaly when other access routes have 
>>> failed ie the network.
>>>
>>> On Solaris an entry is automaticly sent to syslog from the port 
>>> monitor process.
>>>
>>> is there a way to get HPUX 11.xx without additional products to log 
>>> console logins to syslog or another cleartext file, that could be 
>>> read with a log monitoring system such as tivoli or ITO so that 
>>> unnessasary console logins can be detected and reported.
>>> regards peter
>>
>> There is no built-in functionality to achieve this other than enabling 
>> auditing and setting up a log of what out want.
>>
>> I would suggest rather a little hack to /etc/profile which will 
>> populate syslog.log such as:
>>
>> if [ `tty` = "/dev/console" ] && [ `id -un` = "root" ]
>> then
>> logger "$$ $(who am I -R | awk '{ printf "login on %s %s\n",$2,$6}')"
>> fi
> 
> thanks kirk, thats not a bad solution at all, ill go with that for the mo.
> ps any of you guys have hp contracts, can you ask hp to improve their 
> basic logging
> regards peter
  As someone previously said if you enable auditing you get any 
granularity you need , but you need trusted systems.