LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to find out if last history records were modified? (https://www.linuxquestions.org/questions/linux-security-4/how-to-find-out-if-last-history-records-were-modified-748117/)

yuanjunliang 08-17-2009 08:21 AM
How to find out if last history records were modified?
 
For example, user root log in the system at 3:00 AM, want to change or remove the record in the log in history.


Thanks

catkin 08-17-2009 04:20 PM
What do you mean by "log in history" and why do you want to remove the log in record from itit?

unSpawn 08-17-2009 05:09 PM
Uh. No. Actually it's about wtmp and him needing to find out if/who changed any records.

TB0ne 08-17-2009 09:19 PM
Quote:
Originally Posted by yuanjunliang (Post 3646437)
For example, user root log in the system at 3:00 AM, want to change or remove the record in the log in history.


Thanks
As unSpawn pointed out, it's about wtmp. If someone with root level access logs in, they can remove/reset that history, and edit the log files accordingly, to remove all traces.

Your only real hope, is to mirror your system log files to another server, with some really good security, so that not ALL traces can be removed. Otherwise, there really isn't a good way. Root can do ANYTHING.


All times are GMT -5. The time now is 01:54 PM.