UNix History 3

[telcomwork]

How would I be able to view who made a change using the root command yesterday evening?

I tried using history but only see about 20 lines. Is there a log somewhere I can view?

Many thanks!

 

[SamBones]

Use the "[tt]last[/tt]" command to try to determine who was logged on at the time and from where. Check the system log ([tt]/var/adm/messages[/tt] on Solaris) to see if anyone did an "[tt]su[/tt]" to root (that's usually logged), and when. Check the shell history file (sounds like you're doing that.

For the future, you can change the [tt].profile[/tt] for root to keep a separate shell history file for each login. You can also make it keep more commands in the history. Changing these will make it easier to track down things like this.

Hope this helps.

 

[telcomwork]

THANK YOU! If I need to look back more than last night, something further than the last command reports is their a switch to use?

Thanks again!

 

[KenCunningham]

To check for users su-ing, look in /var/adm/sulog on Solaris instead of /var/adm/messages as suggected. The last command should give you a history of logins right back to when the log file wtmp was last recreated. Just use last | pg to get one page at a time.

Good luck.

I want to be good, is that not enough?

 

[columb]

For info, our /etc/profile on our AIX systems contains a section which looks like

tty >/dev/null 2>&1 && { \
  export HISTFILE=/var/hist/$(who am i|awk '{print $1}')_pts$(basename $(tty))_$(date +"%d.%m.%y"); \
  touch $HISTFILE 2>/dev/null; \
  chmod 666 $HISTFILE 2>/dev/null; \
  export HISTSIZE=50000; }

This ensures that each user has a unique history file for each session which looks like /var/hist/fred_pts19_190907

They retain the hist file even if the su up to root so we can trace their actions from logon to logoff. Of course black hats can cover their tracks by

> $HISTFILE

but it's better than nothing.

Ceci n'est pas une signature
Columb Healy