I’m using Redhat Linux (RHEL 5). Yesterday I saw a bit suspicious activities and data movements under my “home” (/home/username directory).
I thought of investigate / audit through my Redhat linux machine and catch the “Right Person” / “Who did it”.
Following are the steps I followed: [which if you follow, you may follow.]
1. Retrieve all successful logins on the system
cat /var/log/secure* | grep Accepted > logins.txt
Now logins.txt will contain all successfull logins to you Redhat linux system.
You may go through the file and have a manual first look up.
2. Check users at perticular time
Other command to find out last login details of perticular users we have last, lastb commands which shows listing of last logged in users.
The last program, which prints a detailed report of the times of the most recent user logins, does so by scanning the /var/log/wtmp file.
Output includes following details:
User name
Tty device number
Login date and time
Logout time
Total working time
It also has an option to search logins at perticular time as follows:
last -t YYYYMMDDHHMMSS – Display the state of logins as of the specified time.
Files used in this are:
/etc/utmp – This is a binary file that contains a record for every active tty line.
/var/adm/wtmp – Keeps track of both logins and logouts.
3. finger – It’s a user information lookup program
Finally you can get more information about user with the finger command.
finger -ls user-id – Above command will tell you linux user’s login name, real name, terminal name, write status, home directory, home phone number, login shell, mail status, and the contents of the files .plan .project .pgpkey .forward
So, ultimately I got the Right Person and later came to know he was in my “home” to do “right” tasks only.
I don’t know if any other way is available but this is one of the way I approched.