Oh my: I am writing about SCO Unix again.
Every time I do this , I think "Wow - this has REALLY got to be the last time I'll be writing anything about SCO Unix!". The last time I did this was October 2012 and there were only three SCO related articles that entire year - I really thought that I might get through 2013 without anything.
But now, here I am, and it's because I disappointed myself. I had someone ask me about auditing SCO Unix OSR5 systems and found that I really didn't have an article that would get them started. Disappointing, because instead of being able to send him to something like that, I had to rummage around in my memory and read some man pages.
Let me say this: none of us like reading man pages. If reading man pages scores a 7 on a "how much do you dislike this activity on a scale of one to ten?", then reading SCO Unix OSR5 man pages scores a perfect 10.
First off, what's the point? Yeah, I know, to answer this guy's questions. But in olden days, I had a hundred or so SCO using customers and any one of them was likely to have a similar question sooner or later, so it was really worth my time to keep up with that stuff.
Now, however, I have a handful. Literally. Less than six, I'm sure. Most of them are just keeping legacy systems running in case they need a report from 2004 or something like that - they almost never have questions other than "Do you think we can keep this running another year?"
My answer to that is always to sigh and say "I wish you wouldn't."
So anyway: I turn down most new SCO work now. Even when I don't turn it down flat I protest that my memory is really rusty, that I'm afraid that rustiness may lead to my giving out bad advice and that, while I really do want to help, it will have to be with caveats:
Yeah, I know, that last one seems unfair. Think of it as payment for pain and suffering, ok?
So what about the auditing? Oh, right, I almost forgot.
Linux has decent auditing. I found two helpful articles you might like to peruse:
All set? Good..
What's that? SCO OSR5 Auditing? Aaargh..
OK, here's what I remember. Aside from commands like "last" which tell you when somebody logged in and out, there are two basic things you can do. One is to turn on accounting, which you do with something like
Once that's done, you can do a few other things just so you'll have something to look at, and then type
You'll get a lovely report that looks something like this:
There's a LOT more you can do, but for that you'd need to read man pages for all the stuff you'll find in/usr/lib/acct/ and my bet is that you don't want to. I sure as heck know that I don't!
There is another kind of accounting that goes much deeper. This is "auditing" and it actually records system calls. I can remember using it once or twice to see what unknown programs were actually up to. You turn that on in scoadmin->System->Security. It requires a reboot and the easiest way to get reports is to go right back into scoadmin and have it fetch what you want. My memory of this is that it ate up disk space like Cthulhu eats up, well, anything.
I'd show you a sample report from that, but I couldn't make it work on my SCO 5.0.7 system (running in VMware when I run it, which is almost never). I know that stuff works, but I lack any enthusiasm for figuring out why MY system doesn't. Sorry, I just don't have it in me.
So that's it. That's all I remember and all I was able to dredge from quick a-googling and a few awful man pages. Let's hope this really is the last time I write about SCO!
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2013-06-06 Anthony Lawrence