Hmmm,
With AIX you can go to a granular level of monitoring and management.
If any one is trying to login to your system, he either has an account or snooped someone's password.
You have to look at the network services to track any remote user and shell/protocol they are using like ftp, telnet, rsh, rexec etc.., and you can block these by commenting them from /etc/inetd.conf file (then run refresh -s inetd).
If you are using a secure protocol or shell (ex: ssh, sftp), the user name and password is protected.
In any case if you run who or w, it will list you currently logged users. You will know who is it.
If the use is locally running any file or script you can trace it down, if you suspect a user is running a script you can grep to that user and it will disable the process id for each of executable.
You can track who was trying to login.
All the system logs are managed by syslog daemon, (/etc/syslog.conf), and they can be found under /var/adm or /var/log like messages, sudo logs, su logs, sshd logs etc..,
Also if you run who -u wmtp (under /var/adm), it will give you list of user and their IP addresses and time of login.
For failed login attempts you can look in /etc/security for file called failedlogin
run who -u failedlogin, it will list all the names and IP addressess
If you are suspecting someone is accessing a particular directory or file system, which they are not suppose to
run fuser -cu /<file system or directory name>, it will list you the user name and process id.
Note: Accessing from another LPAR can happen in two cases,
1. Either the user exist on local system.
2. The ssh key pair is exchanged.
Tightened your security by block unsecure ports.[tt][/tt]
