How could i find out who had rebooted my server/accessing my server at particular tim
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How could i find out who had rebooted my server/accessing my server at particular tim
Hi
i have lots of users with admin priviledge ,so someone had rebooted my server .\When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.i have more than 300 user accessing my server every min.whether i have to open.bash_history of each user profile to find the user who had reboot my server.Any help could be help full
Why would you need "lots of users" with root rights? Why not give them access via Sudo only? That restricts their privileges and logs access as well.
Quote:
Originally Posted by LittleMaster
When i search for bash_history i could not find reboot command executedin root .bash_history file.I found out reboot time of my server in /var/log/messsage.How can i find the list of user is accessing my server at time 11-12-2012 6Am est.
Linux doesn't come with an extensive audit trail configured out of the box. This means that depending on the Linux distribution and what software and services a machine is configured with you minimally have access to system and daemon logs, user login records, (maybe process accounting or even the audit service), user shell history and file system MAC times which nfo you can correlate.
*In addition to the problems that correlation poses your extra problems may be in the way you allowed users to reboot the machine (su, sudo, setuid root binaries: explain in detail please) and any tampering by users you are not aware of which may include any means of access that users configured themselves or any means that could provide illegal access.
Sorry unspawn ,Since i have not given enough info on my first post .
1.Since i have been using powerbroker instead of sudo.User execute pbrun bash and they get root access and they perform the activities.
2.i have more than 300 users of application team have root priviledge since they deploy modify some apps so i have offered them root priviledge.But to acquire root priviledge they uses pbrun bash and they give there user information before entering root priviledge .so that history seems to be stored in there users .bash_history files rather than root .bash_history.
3.OPERATING system Redhat 5.8 release
4.Since some user perform reboot getting stored in there home directory of users .bash_history.
5.Whether i have to enter each and every user and check .bash_history files to audit who had execute reboot at particular period
Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .Its very hard for me go into 300 user and find out reboot command in .bash_history of user.Please advise any easy way to find
Since i could not find time & date in history command.so im executing the following in all 300 users manually auditing reboot command at particular time .
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
If you want to stand a chance you should 0) export them from a central directory like /etc/profile.d/, 1) for each shell in /etc/shells and 2) set both shopt -s histappend and PROMPT_COMMAND='history -a' to facilitate flushing commands to the history file immediately. Even then you must understand that 0) the actual HISTTIMEFORMAT doesn't matter: for example as BASH logs in epoch only, 1) you may encounter shells that don't log time, 2) only new history entries get tagged but most importantly 3) a users shell history it is under control of the user meaning it can be altered, tampered with or outright deleted, ergo it can not be relied on as part of an indisputable audit trail.
Quote:
Originally Posted by LittleMaster
Its very hard for me go into 300 user and find out reboot command in .bash_history of user.
With PowerBroker you get event and I/O logging. What it logs and where it logs depends on your settings and what PowerBroker daemon processes are running. I expect the default directory to be /var/log/ and the log file names start with pb.*.
With 300 people having root you don't have a chance of being able to prove who did it.
All logs are subject to tampering, and you have no security.
So even if you needed the logs for legal purposes, they are useless.
Using the command history is not likely to work very well, as it is recycled every "n" commands, where "n" is up to the user. And then, it is entirely possible for the user to disable history tracking.
Since this is a voluntary thing, you are just as likely to get a good answer by just asking "who did it?"
It doesn't matter. With 300 people any and all files may be modified.
I wonder why the amount of users should even enter the equation? It really is of no consequence. What matters in this case are what logging is configured (event log, I/O log), where it is configured to log to (local, remote) and the commands users are allowed to perform. Knowing that you can address circumvention, tamper resistance et cetera.
Without knowing that there is no tangible information to base any statements on.
I tried the above posted step to investigate .Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.As i could not find the real culprit who had rebooted the server.
Since when you create a user he had privilege to delete his own .bash_history file.Since i learn lesson from these i have to block the user could not delete there own .bash_history .Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory
Let me know if you actually read what I wrote about PowerBroker, its logging and if you actually checked those logs.
Quote:
Originally Posted by LittleMaster
Since the user who had rebooted the server had removed hitory of .bash_history file in his home directory.
IMHO wiping files is enough cause for concern to trace the user and simultaneously investigate the system for modification.
Quote:
Originally Posted by LittleMaster
Whether its posible to make the user could not delete or modify any command in there .bash_history in there home directory
It is possible to set the extended "append only" attribute on files but I urge you not to invest too much time in it. I already wrote the exact reasons why its contents can not be trusted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.