Need info on logging who reboots the server
Someone has been logging in and issuing reboot commands. I am Running Redhat EL 5. Is it possible to find a log or start logging from which IP the reboot command came from or which user?
|
you can user last command.
Code:
root pts/2 10.0.7.232 Wed Aug 11 02:43 still logged in |
Thanks I tried that but here is what I get. Im not sure why it shows this way..It doesnt say who issued the reboot command unless I am missing something
root pts/1 1x.1x.4.x Tue Aug 10 00:17 - 04:18 (04:01) root pts/1 1x.1x.4.x Tue Aug 10 00:09 - 00:10 (00:00) root pts/1 1x.1x.4.x Tue Aug 10 00:00 - 00:02 (00:01) root pts/1 1x.1x.4.x Mon Aug 9 23:55 - 23:58 (00:03) root pts/1 1x.1x.4.x Mon Aug 9 23:52 - 23:54 (00:02) root pts/0 1x.1x.4.x Mon Aug 9 23:49 - 00:22 (00:32) reboot system boot 2.6.18-92.el5 Mon Aug 9 23:48 (11:59) wxxx pts/4 1x.1x.4.x Mon Aug 9 15:39 - 15:43 (00:03) |
Only super users (such as root) have privileges to reboot a system. The "last" command will only tell you when the command was issued by the pseudo user "reboot".
The only way to tell is to go through the ~/.bash_history of each user and check for any su or sudo commands to root with subsequent attempts to reboot. This logic will obviously not apply if you are sharing the root password with anybody else. Also check for any cron jobs that are set up. To sum it up, enforce the use of sudo. |
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
|
All times are GMT -5. The time now is 10:43 AM. |