How find out PID of a command which is in history
If someone has done something wrong on a shared linux machine. If i want to find out who is that person or ip from where it is been done what are all the possible ways..
1 possibility I thought was to get the PID of the command and get other details from that PID? |
You mean by "shared machine" also a "shared user account"?
|
If the cmd is no longer running, you won't have the PID; it's not (normally) stored in the HISTORY file, although you may be able to set that.
You prob want to start with the log files (/var/log/*), looking for entries around the time you think something happened. If you have a specific qn in mind, please tell us for better directions. |
/var/log/messages and other log files in /var/log will provide an insight into what has happened in your system. Who has logged in. How a user logged in .. etc.
If you want to capture the PIDs then, you might need to write a script and log it. But that is not a nice idea to go ahead while considering performance and space constraints. |
Also there is a software called PowerBroker. But it is not freeware.
Check the link http://www.linuxforums.org/forum/sec...ternative.html --Rameez |
All times are GMT -5. The time now is 01:15 PM. |