Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

tracking file access/modification

Status
Not open for further replies.

cruel

Programmer
Aug 6, 2001
131
I work on a sun unix box where a group of people share an account. lately I noticed someone changed my programs and caused jobs to fail couple of times. Is there anyway to track down from which terminal the access comes from (e.g. pc ip address, term id or anything like that?) I am not an admin, but if it is possible, I will request to have it done. Thanks
 
If you can correlate the output of the last command with the time the file was modified, and then figure out who was on the source IP address at the time somehow, then you may have a chance.

Annihilannic.
 
An alternative might be to make your programs read and execute only, and ask an admin to grant temporary write access when necessary.

I want to be good, is that not enough?
 
If the shells on your system is using .history files, it is located in each users homedirectory, then your admin can look an see if there is reference to your programs, but remeber .history files can be edited by the user who owns it.
 
That's true, Gunnar, but it's my understanding that this is a shared account, with several people having access to it.

I want to be good, is that not enough?
 
thanks, guys. it is correct that it is a shared account, without knowing for sure where it came from but I know it is no incident. Tracking command history and files' last modification etc are not enough. However, someone should be able to tell which PC the connection originates. I am wondering if on Solaris server there is a file, such as those under /etc with tty or term in it that capture the source of the connection, and somehow that file can be linked to the command history?
 
last tells you (the third field) by using reverse DNS either the hostname or IP address the user was using, like Anni said. You might be able to show only that instance of the shared account was on at that time. This is not concrete proof because the file might have been changed via ftp,scp or a NFS shared mount.

It would be hard to correlate the commands run without an optional accounting or process accounting package installed and running.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top