Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well the long way would to do a ls -l and check the modify date; once you have the time, you can then cat /var/log/securelooking to see who was on around that time.... and then trace the ip address to a workstation name. "if they are using different computers"
I've created a file test.txt under /home/jb51/temp.
Code:
[root@s003ap19-test ~]# ls -la /home/jb51/temp/
total 3
drwxr-xr-x 2 jb51 jboss 1024 Jan 27 16:04 .
drwx------ 3 jb51 jboss 1024 Jan 27 16:04 ..
-rw-r--r-- 1 jb51 jboss 15 Jan 27 16:04 test.txt
One can also tell the IP-Address of my computer. But how can one confirm this file is modified by me, since the file name can not be found in /var/log/secure? Maybe at the same time someone else also loged in and created another file?
Code:
[root@s003ap19-test ~]# cat /var/log/secure
Jan 24 13:07:22 s003ap19-test sshd[11011]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 1600 ssh2
Jan 24 13:10:41 s003ap19-test sudo: jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51
Jan 24 13:10:52 s003ap19-test sudo: jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51
Jan 24 13:13:09 s003ap19-test sudo: jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51 status
Jan 24 13:17:16 s003ap19-test sudo: jb51 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51 status
Jan 26 14:23:49 s003ap19-test sshd[25677]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 4797 ssh2
Jan 27 16:04:12 s003ap19-test sshd[720]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 3128 ssh2
[root@s003ap19-test ~]#
Last edited by thomas2004ch; 01-27-2011 at 09:29 AM.
As for who modified, I dont know because everyone uses the same login id.. Off the top of my head would be to cross reference IP address, and login time, and date modified stamp of file.. To get a close idea of who it might be...
Maybe someone else here might know of a way to def tell who modified it.
But with it being the same login ID for each SSH session... This the only way I am able to think of to try and get as close as you can to who it was...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
:
