Quote:
Originally Posted by y_zl
After I logged in, I found the lastlog file was newly created, and previous records got lost. But for other file like secure, there are some file with name like secure-20080101,... stile exist, only this lastlog file left one. Just want to know does it indicate somebody got into my system?
|
As a standalone event it does not, IMHO. If you read 'man lastlog' you see it is a
sparse file that must not be rotated, after all it only holds a set of volatile data, much like utmp, and not the kind of accounting wtmp holds.
Quote:
Originally Posted by y_zl
and how could I verify that?
|
Verify and correlate your other logs: wtmp (see 'man last'), btmp (if any, see 'man lastb'), faillog ('man faillog'), /var/log/secure for logins. For generic error messages see per daemon logs in /var/log/ and /var/log/messages. If SElinux is enabled see /var/log/messages (and /var/log/audit/audit.log if you run Auditd). If you have any doubts you best run your auditing from a booted Live CD and verify your installation first with 'rpm -qVa' ('man rpm' for explanation of output). Checking timestamps, shell history and more steps are in the Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html which should be good to know anyway.