Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

UNix History 3

Status
Not open for further replies.

telcomwork

Technical User
Mar 2, 2002
1,625
US
How would I be able to view who made a change using the root command yesterday evening?

I tried using history but only see about 20 lines. Is there a log somewhere I can view?

Many thanks!
 
Use the "[tt]last[/tt]" command to try to determine who was logged on at the time and from where. Check the system log ([tt]/var/adm/messages[/tt] on Solaris) to see if anyone did an "[tt]su[/tt]" to root (that's usually logged), and when. Check the shell history file (sounds like you're doing that.

For the future, you can change the [tt].profile[/tt] for root to keep a separate shell history file for each login. You can also make it keep more commands in the history. Changing these will make it easier to track down things like this.

Hope this helps.
 
THANK YOU! If I need to look back more than last night, something further than the last command reports is their a switch to use?

Thanks again!
 
To check for users su-ing, look in /var/adm/sulog on Solaris instead of /var/adm/messages as suggected. The last command should give you a history of logins right back to when the log file wtmp was last recreated. Just use last | pg to get one page at a time.

Good luck.

I want to be good, is that not enough?
 
For info, our /etc/profile on our AIX systems contains a section which looks like
Code:
tty >/dev/null 2>&1 && { \
  export HISTFILE=/var/hist/$(who am i|awk '{print $1}')_pts$(basename $(tty))_$(date +"%d.%m.%y"); \
  touch $HISTFILE 2>/dev/null; \
  chmod 666 $HISTFILE 2>/dev/null; \
  export HISTSIZE=50000; }
This ensures that each user has a unique history file for each session which looks like /var/hist/fred_pts19_190907

They retain the hist file even if the su up to root so we can trace their actions from logon to logoff. Of course black hats can cover their tracks by
Code:
> $HISTFILE
but it's better than nothing.

Ceci n'est pas une signature
Columb Healy
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top