Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

tracking file access/modification

Status
Not open for further replies.
cruel

cruel

Programmer
Aug 6, 2001
131
I work on a sun unix box where a group of people share an account. lately I noticed someone changed my programs and caused jobs to fail couple of times. Is there anyway to track down from which terminal the access comes from (e.g. pc ip address, term id or anything like that?) I am not an admin, but if it is possible, I will request to have it done. Thanks
 
Sort by date Sort by votes
If you can correlate the output of the last command with the time the file was modified, and then figure out who was on the source IP address at the time somehow, then you may have a chance.

Annihilannic.
 
Upvote 0 Downvote
An alternative might be to make your programs read and execute only, and ask an admin to grant temporary write access when necessary.

I want to be good, is that not enough?
 
Upvote 0 Downvote
If the shells on your system is using .history files, it is located in each users homedirectory, then your admin can look an see if there is reference to your programs, but remeber .history files can be edited by the user who owns it.
 
Upvote 0 Downvote
That's true, Gunnar, but it's my understanding that this is a shared account, with several people having access to it.

I want to be good, is that not enough?
 
Upvote 0 Downvote
thanks, guys. it is correct that it is a shared account, without knowing for sure where it came from but I know it is no incident. Tracking command history and files' last modification etc are not enough. However, someone should be able to tell which PC the connection originates. I am wondering if on Solaris server there is a file, such as those under /etc with tty or term in it that capture the source of the connection, and somehow that file can be linked to the command history?
 
Upvote 0 Downvote
last tells you (the third field) by using reverse DNS either the hostname or IP address the user was using, like Anni said. You might be able to show only that instance of the shared account was on at that time. This is not concrete proof because the file might have been changed via ftp,scp or a NFS shared mount.

It would be hard to correlate the commands run without an optional accounting or process accounting package installed and running.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

austinramsay
  • Locked
  • Question
Solaris 10 install hanging at 3%.. Where to find log file, or ideas?
Replies
1
Views
308
AvayaTier3
AvayaTier3
MauroCMSVR
  • Locked
  • Question
Print as PDF file in Solaris System
Replies
0
Views
240
MauroCMSVR
MauroCMSVR
tekmhe
  • Locked
  • Question
Using a PC, how to delete files from a Sunblade 150 IDE drive?
Replies
3
Views
201
SamBones
SamBones
CChambleeJr
  • Locked
  • Question
How to create file system on USB Drive
Replies
1
Views
149
SamBones
SamBones
forrie
  • Locked
  • Question
Determining space occupied by files x days old on shared ZFS filesystem, different mount points
Replies
0
Views
96
forrie
forrie

Part and Inventory Search

Sponsor

Back
Top