Re: determining when root was logged in

From: Jerry Gelaude (ggelaude_at_SUMINET.NET)
Date: 10/26/03

Previous message: Mark Lamport: "3570 Magstar tape"
In reply to: Sue Pellerito: "Re: determining when root was logged in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:         Sun, 26 Oct 2003 01:20:37 -0400
To: aix-l@Princeton.EDU

Hi Vipin,

You will need to be root as this file is only readable by root. Look
at the /var/adm/sulog and see if anyone logged in as them selves and
made a "su -" to root or any other administrative ID. This file is
-rw------ root system. If the sulog has any other permissions, then I
would say that someone may have tampered with your log files.

The format shows day and time of a su along with what the originating
ID was. Then it is a simple matter of extracting the other data from
the last command. The ###### is where you will find the originating
ID. As the file can be quite large, cat the file. All new entries
are appended to the bottom. This file records any and all "su"
processes, no matter what the ID.

SU 10/26 01:06 + pts/5 #######-root

Good luck,

Regards Jerry

On Fri, 24 Oct 2003 15:37:55 -0700, you wrote:

>If a user logged on with their userid and then used a su - to switch to
>root, the 'last' command will not show root as logged in.
>
>
>
> Vipin Khushu
> <vkhushu@GUERNSEY To: aix-l@Princeton.EDU
> OP.COM> cc:
> Sent by: IBM AIX Subject: Re: determining when root was logged in
> Discussion List
> <aix-l@Princeton.
> EDU>
>
>
> 10/24/2003 12:58
> PM
> Please respond to
> IBM AIX
> Discussion List
>
>
>
>
>
>
>Thanks Mark / Bill.
>
>However, this gets curiouser and curiouser.
>
>The last root command shows that the last time root logged into the system
>was back on sep 09.
>
>However, we are sure that this file was modified yesterday.
>
>Is there a way to determine who modified this file?
>
>Vipin
>
>
>
>
>
>
>-----Original Message-----
>From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM]
>Sent: Friday, October 24, 2003 1:49 PM
>To: aix-l@Princeton.EDU
>Subject: Re: determining when root was logged in
>
>
>last|more
>/etc/passwd and /etc/group
>--------------------------------------------------------
>
>"If everything is coming your way, then you are in the wrong lane"
>
>Bill Verzal
>AIX Administrator, Komatsu America
>(847) 970-3726 - direct
>(847) 970-4184 - fax
>
>
>|---------+---------------------------->
>| | Vipin Khushu |
>| | <vkhushu@GUERNSEY|
>| | OP.COM> |
>| | Sent by: IBM AIX |
>| | Discussion List |
>| | <aix-l@Princeton.|
>|
>| | |
>| | |
>| | 10/24/2003 12:03 |
>| | PM |
>| | Please respond to|
>| | IBM AIX |
>| | Discussion List |
>| | |
>|---------+---------------------------->
>
>>---------------------------------------------------------------------------
>
>----------------------------------------------------|
> |
>|
> | To: aix-l@Princeton.EDU
>|
> | cc:
>|
> | Subject: determining when root was logged in
>|
>
>>---------------------------------------------------------------------------
>
>----------------------------------------------------|
>
>
>
>
>I need to pinpoint who was logged in as root yesterday when this file was
>modified. So I would like to know what time the person / process got logged
>in as root and from what terminal / IP address.
>
>
>Also does anyone know where the list of users that are set up on the system
>are stored?
>
>
>I need to show the users that are set up as part of the system group.
>
>
>
>
>
>-rw-rw-rw- 1 root sys 26624 Oct 23 13:46 -dayend.cdx
>
>
>-rw-rw-rw- 1 root sys 42844 Oct 23 13:46 -dayend.dbf
>
>
>-rw-rw-rw- 1 root sys 10 Aug 02 10:03 -dayend.key
>
>
>
>
>
>TIA
>
>
>Vipin Khushu

Next message: Arif Mubeen: "LPAR's"

Previous message: Mark Lamport: "3570 Magstar tape"
In reply to: Sue Pellerito: "Re: determining when root was logged in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: System-users and-groups?
... bin shouldn't do so much. ... was root and bin... ... Although
the daemon user/group are ... as that user runs that command. ... (alt.linux)
RE: remote ssh for root
... forced-commands-only option set, you have to have the command option set. ...
execution as root. ... > This message contains confidential information and is
... (SSH)
Re: grub menu oddity
... >>> command (until the manual root command was executed). ...
>>> When I first encountered this behavior, it took several reboots for me to ...
FWIW - a new CMOS battery is only $3-5 at your local Shaque du Radio ... (comp.os.linux.setup)
Re: [PHP] strange errors from command line vs. web
... standard php. ... > can't run the script from the command line even
when I su to root. ... >>> I have some code that makes a connection to
the db. ... (php.general)
Re: SU privileges
... If you know a userid you want to limit the ability to su too (like root),
... Another way would be to set an ACL on the su command. ... If you have received
this electronic transmission in error, please notify the sender immediately by a "reply to sender
only" message and destroy all electronic and hard copies of the communication, including attachments.
... (AIX-L)