From: Jerry Gelaude (ggelaude@SUMINET.NET)
Date: Sun Oct 26 2003 - 01:20:37 EDT
Hi Vipin,
You will need to be root as this file is only readable by root. Look
at the /var/adm/sulog and see if anyone logged in as them selves and
made a "su -" to root or any other administrative ID. This file is
-rw------ root system. If the sulog has any other permissions, then I
would say that someone may have tampered with your log files.
The format shows day and time of a su along with what the originating
ID was. Then it is a simple matter of extracting the other data from
the last command. The ###### is where you will find the originating
ID. As the file can be quite large, cat the file. All new entries
are appended to the bottom. This file records any and all "su"
processes, no matter what the ID.
SU 10/26 01:06 + pts/5 #######-root
Good luck,
Regards Jerry
On Fri, 24 Oct 2003 15:37:55 -0700, you wrote:
>If a user logged on with their userid and then used a su - to switch to
>root, the 'last' command will not show root as logged in.
>
>
>
> Vipin Khushu
> <vkhushu@GUERNSEY To: aix-l@Princeton.EDU
> OP.COM> cc:
> Sent by: IBM AIX Subject: Re: determining when root was logged in
> Discussion List
> <aix-l@Princeton.
> EDU>
>
>
> 10/24/2003 12:58
> PM
> Please respond to
> IBM AIX
> Discussion List
>
>
>
>
>
>
>Thanks Mark / Bill.
>
>However, this gets curiouser and curiouser.
>
>The last root command shows that the last time root logged into the system
>was back on sep 09.
>
>However, we are sure that this file was modified yesterday.
>
>Is there a way to determine who modified this file?
>
>Vipin
>
>
>
>
>
>
>-----Original Message-----
>From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM]
>Sent: Friday, October 24, 2003 1:49 PM
>To: aix-l@Princeton.EDU
>Subject: Re: determining when root was logged in
>
>
>last|more
>/etc/passwd and /etc/group
>--------------------------------------------------------
>
>"If everything is coming your way, then you are in the wrong lane"
>
>Bill Verzal
>AIX Administrator, Komatsu America
>(847) 970-3726 - direct
>(847) 970-4184 - fax
>
>
>|---------+---------------------------->
>| | Vipin Khushu |
>| | <vkhushu@GUERNSEY|
>| | OP.COM> |
>| | Sent by: IBM AIX |
>| | Discussion List |
>| | <aix-l@Princeton.|
>|
>| | |
>| | |
>| | 10/24/2003 12:03 |
>| | PM |
>| | Please respond to|
>| | IBM AIX |
>| | Discussion List |
>| | |
>|---------+---------------------------->
>
>>---------------------------------------------------------------------------
>
>----------------------------------------------------|
> |
>|
> | To: aix-l@Princeton.EDU
>|
> | cc:
>|
> | Subject: determining when root was logged in
>|
>
>>---------------------------------------------------------------------------
>
>----------------------------------------------------|
>
>
>
>
>I need to pinpoint who was logged in as root yesterday when this file was
>modified. So I would like to know what time the person / process got logged
>in as root and from what terminal / IP address.
>
>
>Also does anyone know where the list of users that are set up on the system
>are stored?
>
>
>I need to show the users that are set up as part of the system group.
>
>
>
>
>
>-rw-rw-rw- 1 root sys 26624 Oct 23 13:46 -dayend.cdx
>
>
>-rw-rw-rw- 1 root sys 42844 Oct 23 13:46 -dayend.dbf
>
>
>-rw-rw-rw- 1 root sys 10 Aug 02 10:03 -dayend.key
>
>
>
>
>
>TIA
>
>
>Vipin Khushu
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:18 EDT