TB0ne |
08-17-2009 09:19 PM |
Quote:
Originally Posted by yuanjunliang
(Post 3646437)
For example, user root log in the system at 3:00 AM, want to change or remove the record in the log in history.
Thanks
|
As unSpawn pointed out, it's about wtmp. If someone with root level access logs in, they can remove/reset that history, and edit the log files accordingly, to remove all traces.
Your only real hope, is to mirror your system log files to another server, with some really good security, so that not ALL traces can be removed. Otherwise, there really isn't a good way. Root can do ANYTHING.
|