How to find out if last history records were modified?

yuanjunliang · 08-17-2009, 08:21 AM

For example, user root log in the system at 3:00 AM, want to change or remove the record in the log in history.

Thanks

catkin · 08-17-2009, 04:20 PM

What do you mean by "log in history" and why do you want to remove the log in record from itit?

unSpawn · 08-17-2009, 05:09 PM

Uh. No. Actually it's about wtmp and him needing to find out if/who changed any records.

TB0ne · 08-17-2009, 09:19 PM

Quote:

Originally Posted by yuanjunliang

For example, user root log in the system at 3:00 AM, want to change or remove the record in the log in history.

Thanks

As unSpawn pointed out, it's about wtmp. If someone with root level access logs in, they can remove/reset that history, and edit the log files accordingly, to remove all traces.

Your only real hope, is to mirror your system log files to another server, with some really good security, so that not ALL traces can be removed. Otherwise, there really isn't a good way. Root can do ANYTHING.