Change Is Inevitable
  • Home
  • MySQL Podcast
    • MySQL Podcast (Spotify)
    • MySQL Podcast (Youtube)
  • MySQL
    • MySQL-Articles
    • AWS RDS
    • Percona Xtradb Cluster
    • MariaDB
    • Galera Cluster
    • ProxySQL
    • MySQL-Scripts
    • MySQL tools
    • MySQL Resources
  • Technical
    • QA-Testing
  • General
    • binary-to-decimal
    • Fermat’s Theorem
    • Review
    • Just for fun
    • Personal
  • Contact Me
    • Copyright
Change Is Inevitable

Kedar Vaijanapurkar's Blog for MySQL, technology and various subjects

  • Home
  • MySQL Podcast
    • MySQL Podcast (Spotify)
    • MySQL Podcast (Youtube)
  • MySQL
    • MySQL-Articles
    • AWS RDS
    • Percona Xtradb Cluster
    • MariaDB
    • Galera Cluster
    • ProxySQL
    • MySQL-Scripts
    • MySQL tools
    • MySQL Resources
  • Technical
    • QA-Testing
  • General
    • binary-to-decimal
    • Fermat’s Theorem
    • Review
    • Just for fun
    • Personal
  • Contact Me
    • Copyright
  • Technical

    Audit-Checking login history-to know WHO DID THAT on Redhat Linux

    Kedar
    • February 16, 2010
    • No comments

    I’m using Redhat Linux (RHEL 5). Yesterday I saw a bit suspicious activities and data movements under my “home” (/home/username directory).
    I thought of investigate / audit through my Redhat linux machine and catch the “Right Person” / “Who did it”.

    Following are the steps I followed: [which if you follow, you may follow.]

    1. Retrieve all successful logins on the system

    cat /var/log/secure* | grep Accepted > logins.txt
    Now logins.txt will contain all successfull logins to you Redhat linux system.
    You may go through the file and have a manual first look up.

    2. Check users at perticular time

    Other command to find out last login details of perticular users we have last, lastb commands which shows listing of last logged in users.

    The last program, which prints a detailed report of the times of the most recent user logins, does so by scanning the /var/log/wtmp file.

    Output includes following details:

    User name
    Tty device number
    Login date and time
    Logout time
    Total working time

    It also has an option to search logins at perticular time as follows:
    last -t YYYYMMDDHHMMSS – Display the state of logins as of the specified time.

    Files used in this are:
    /etc/utmp – This is a binary file that contains a record for every active tty line.
    /var/adm/wtmp – Keeps track of both logins and logouts.

    3. finger – It’s a user information lookup program

    Finally you can get more information about user with the finger command.

    finger -ls user-id – Above command will tell you linux user’s login name, real name, terminal name, write status, home directory, home phone number, login shell, mail status, and the contents of the files .plan .project .pgpkey .forward

    So, ultimately I got the Right Person and later came to know he was in my “home” to do “right” tasks only.
    I don’t know if any other way is available but this is one of the way I approched.

    Kedar

    Related Tags
    • Audit Linux,
    • linux,
    • login history,
    • Technical,
    • Who did that,
    • who logged in
    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    Change Is Inevitable
    Designed & Developed by Code Supply Co.
    Go to mobile version