How could i find out who had rebooted my server/accessing my server at particular tim
Hi
i have lots of users with admin priviledge ,so someone had rebooted my server .\When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.i have more than 300 user accessing my server every min.whether i have to open.bash_history of each user profile to find the user who had reboot my server.Any help could be help full |
Quote:
Quote:
*In addition to the problems that correlation poses your extra problems may be in the way you allowed users to reboot the machine (su, sudo, setuid root binaries: explain in detail please) and any tampering by users you are not aware of which may include any means of access that users configured themselves or any means that could provide illegal access. |
Sorry unspawn ,Since i have not given enough info on my first post .
1.Since i have been using powerbroker instead of sudo.User execute pbrun bash and they get root access and they perform the activities. 2.i have more than 300 users of application team have root priviledge since they deploy modify some apps so i have offered them root priviledge.But to acquire root priviledge they uses pbrun bash and they give there user information before entering root priviledge .so that history seems to be stored in there users .bash_history files rather than root .bash_history. 3.OPERATING system Redhat 5.8 release 4.Since some user perform reboot getting stored in there home directory of users .bash_history. 5.Whether i have to enter each and every user and check .bash_history files to audit who had execute reboot at particular period Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .Its very hard for me go into 300 user and find out reboot command in .bash_history of user.Please advise any easy way to find echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile |
'grep reboot /home/*/.bash_history' ?
|
hey ur genius man .Thanks for your help
|
Quote:
Quote:
|
With 300 people having root you don't have a chance of being able to prove who did it.
All logs are subject to tampering, and you have no security. So even if you needed the logs for legal purposes, they are useless. Using the command history is not likely to work very well, as it is recycled every "n" commands, where "n" is up to the user. And then, it is entirely possible for the user to disable history tracking. Since this is a voluntary thing, you are just as likely to get a good answer by just asking "who did it?" |
Quote:
|
It doesn't matter. With 300 people any and all files may be modified.
|
Quote:
Without knowing that there is no tangible information to base any statements on. |
Thanks for your valuable info unspawn .
I tried the above posted step to investigate .Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.As i could not find the real culprit who had rebooted the server. Since when you create a user he had privilege to delete his own .bash_history file.Since i learn lesson from these i have to block the user could not delete there own .bash_history .Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory |
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 07:08 AM. |