Quote:
Originally Posted by khizra
automated scripts wont be found there in bash history..
|
No they won't be.
Quote:
Originally Posted by khizra
Also where would i find the info that who logins using which shell?
i think one place is to etc/log/secure...
|
Login records are stored in /var/log/wtmp and /var/log/btmp and /var/log/secure is where among others PAM logs PAM login stack messages.
Quote:
Originally Posted by khizra
How do I find traces/signs of automated scripts?
|
You should always provide distribution, user, service and other relevant details as apart from the above things depend on your setup (for instance both SELinux and Grsecurity can log say exec syscalls but you have to run and have configured one of those beforehand and both the 'at' and 'crond' services can use {at,cron}.deny files), who has access to the machine (IDS or Netfilter logging network scans and other traffic, the system recording any violations) and to some extent when you first got the hunch something could be wrong (sometimes you would be able to copy out deleted files on open file descriptors or "undelete" them). You see providing details first is vital.