lphistory Command

Purpose

Displays or clears the history list of least-privilege (LP) commands that have been run during the current resource monitoring and control (RMC) session.

Syntax

Description

The lphistory command lists the history of LP commands that have been run by the least-privilege resource manager. The command history is maintained as records in the RSCT audit log. By default, only the command string (the path name plus arguments) from each audit log record is listed. The -L flag controls the output format of lphistory; use it to display specific fields as needed. The selection flags (-B, -C, -E, -m, -S, or -u) control the selection string that is passed to lsaudrec.

The lphistory command takes one optional parameter: the number of records to list. The default value of num_records is 10. If none of the selection flags is used, the latest number of records in the audit log (specified by num_records) are listed. Otherwise, the latest number of records (specified by num_records) from those selected by one or more of the selection flags are listed. This selection process applies to the audit records on each node specified by the -a flag or the -n flag. If neither -a nor -n is specified, the selection process applies to the audit records on the local node.

The -B and -E flags take time stamps as arguments. Time stamps are in the form MMddhhmmyyyy, where MM is the two-digit month (01-12), dd is the two-digit day of the month (01-31), hh is the two-digit hour (00-23), mm is the two-digit minute (00-59), and yyyy is the four-digit year.

You can use the wild card character (%) with identity-related arguments (user_ID, mapped_ID) and command names. The % can be placed at the beginning or end of the string, or anywhere within it. You cannot use any wild card characters when specifying command_path.

You can remove audit log records using the -c flag. If none of the selection flags is specified, all audit log records for the least-privilege resource manager are removed. Otherwise, the records selected by one or more of the selection flags are removed. The -c flag cannot be used with the -L flag or the num_records parameter.

Flags

-a
Displays previously-issued LP commands for all nodes in the domain.

The CT_MANAGEMENT_SCOPE environment variable determines the scope of the cluster. If CT_MANAGEMENT_SCOPE is not set, management domain scope is chosen first (if a management domain exists), peer domain scope is chosen next (if a peer domain exists), and then local scope is chosen, until the scope is valid for the command. The command runs once for the first valid scope it finds. For example, if a management domain and a peer domain both exist and CT_MANAGEMENT_SCOPE is not set, this command applies to the management domain. If you want this command to apply to the peer domain, set CT_MANAGEMENT_SCOPE to 2.

You cannot specify this flag with the -n flag.

-B MMddhhmmyyyy
Specifies a beginning time stamp in the form MMddhhmmyyyy, where MM is the two-digit month (01-12), dd is the two-digit day (01-31), hh is the two-digit hour (00-23), mm is the two-digit minute (00-59), and yyyy is the four-digit year. The time can be truncated from right to left, except for MM. If not all digits are specified, the year defaults to the current year, minutes to 0, hour to 0, and day to 01. At a minimum, the month must be specified. The command lists or removes only those records that were created at or after this time.
–c
Clears the history of LP commands. You cannot specify this flag with the number_of_commands parameter or the -n flag.
-C command_name
Specifies a command name. lphistory -C lists or removes only those records that contain command_name, which is the name of a command without a fully-qualified path (mkrsrc, for example). You can use wild card characters in command_name.
-E MMddhhmmyyyy
Specifies an ending time stamp in the form MMddhhmmyyyy, where MM is the two-digit month (01-12), dd is the two-digit day (01-31), hh is the two-digit hour (00-23), mm is the two-digit minute (00-59), and yyyy is the four-digit year. The time can be truncated from right to left, except for MM. If not all digits are specified, the year defaults to the current year, minutes to 0, hour to 0, and day to 01. At a minimum, the month must be specified. The command lists or removes only those records that were created at or before this time.
-L a | c | e | m | n | t | u | x
By default, only the command string (path name plus arguments) from each audit log record is listed. If this flag is specified, the argument is one or more of the following letters; the fields are displayed in the same order as the letters in the flag argument.
a
Displays all fields from the audit log in the following order: t, u, m, n, x, c (specifying -L a is the same as specifying -L tumnxc)
c
Displays the command string (the default)
e
Displays the standard error output
m
Displays the mapped identity
n
Displays the name of the node where the command ran
t
Displays the time field
u
Displays the authenticated user identity
x
Displays the LP command exit status

You cannot specify this flag with the -c flag.

-m mapped_ID
Specifies a mapped identity. lphistory -m lists or removes only those records that contain mapped_ID. You can use wild card characters in mapped_ID.
-n host1[,host2,…]
Specifies one or more nodes in the cluster on which the LP command history list is to be retrieved or cleared. (By default, the history list for the local node is retrieved or cleared.)

This flag is valid only in a management domain or a peer domain. If the CT_MANAGEMENT_SCOPE environment variable is not set, management domain scope is chosen first (if a management domain exists) and then peer domain scope is chosen, until the scope is valid for the command. The command runs once for the first valid scope it finds.

You cannot specify this flag with the -a flag.

-S command_path
Specifies a command path name. lphistory -S lists or removes only those records that contain command_path, which is identical to the value of the CommandPath in the LPCommands class (/usr/sbin/RSCT/bin/mkrsrc, for example). You cannot use wild card characters in command_path.
-u user_ID
Specifies an authenticated user identity. lphistory -u lists or removes only those records that contain user_ID. You can use wild card characters in user_ID.
-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

num_records
Specifies the number of commands to be displayed from the history list. You can list a minimum of one command and a maximum of 100 commands. The default value is 10. You cannot specify this parameter with the -c flag.

Security

To run the lphistory command, you need write permission in the Class ACL of the IBM.LPCommands resource class. Permissions are specified in the LP ACLs on the contacted system. See the lpacl file for general information about LP ACLs and the RSCT Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system that is used for the session with the RMC daemon. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the LP resources that are processed.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon to process the LP resources. The management scope determines the set of possible target nodes where the resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.

If this environment variable is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

  1. To list 20 LP commands that were previously issued on the local node, enter:
    lphistory 20
  2. Suppose nodeA is in a management domain and CT_MANAGEMENT_SCOPE is set to 3. To list the LP command history on nodeA, enter:
    lphistory -c -n nodeA 
  3. To display the last 15 LP commands invoked with time, user ID, mapped ID, mechanism, return code, standard error, command name, and command string, enter:
    lphistory -L a 15
  4. To display the LP command names that end with rsrc, enter:
    lphistory -C %rsrc
  5. To display the LP commands that were invoked after 11:30 PM on April 18, 2006, enter:
    lphistory -B 041823302006

Location

/usr/sbin/rsct/bin/lphistory
Contains the lphistory command.