{"id":554,"date":"2010-02-16T15:51:22","date_gmt":"2010-02-16T15:51:22","guid":{"rendered":"http:\/\/kedar.nitty-witty.com\/?p=554"},"modified":"2015-07-21T12:25:29","modified_gmt":"2015-07-21T12:25:29","slug":"audit-checking-login-history-to-know-who-did-that-on-redhat-linux","status":"publish","type":"post","link":"https:\/\/kedar.nitty-witty.com\/blog\/audit-checking-login-history-to-know-who-did-that-on-redhat-linux","title":{"rendered":"Audit-Checking login history-to know WHO DID THAT on Redhat Linux"},"content":{"rendered":"<p>I&#8217;m using Redhat Linux (RHEL 5). Yesterday I saw a bit suspicious activities and data movements under my &#8220;home&#8221; (\/home\/username directory).<br \/>\nI thought of investigate \/ audit through my Redhat\u00a0linux machine and catch the &#8220;Right Person&#8221; \/ &#8220;Who did it&#8221;.<\/p>\n<p>Following are the steps I followed: [which if you follow, you may follow.]<\/p>\n<h3>1. Retrieve all successful logins on the system<\/h3>\n<p style=\"text-align: left;\">cat \/var\/log\/secure* | grep Accepted &gt; logins.txt<br \/>\nNow logins.txt will contain all successfull logins to you Redhat\u00a0linux system.<br \/>\nYou may go through the file and have a manual first look up.<\/p>\n<p style=\"text-align: right;\">\n<p style=\"text-align: left;\"><strong>2. Check users at perticular time<\/strong><\/p>\n<p>Other command to find out last login details of perticular users we have\u00a0<strong>last, lastb<\/strong> commands which shows listing of last logged in users.<\/p>\n<p>The last program, which prints a detailed report of the times of the most recent user logins, does so by scanning the \/var\/log\/wtmp file.<\/p>\n<p>Output includes following details:<\/p>\n<p>User name<br \/>\nTty device number<br \/>\nLogin date and time<br \/>\nLogout time<br \/>\nTotal working time<\/p>\n<p>It also has an option to search logins at perticular time as follows:<br \/>\nlast -t YYYYMMDDHHMMSS &#8211; Display the state of logins as of the specified time.<\/p>\n<p>Files used in this are:<br \/>\n\/etc\/utmp &#8211; This is a binary file that contains a record for every active tty line.<br \/>\n\/var\/adm\/wtmp &#8211; Keeps track of both logins and logouts.<\/p>\n<h3>3. finger &#8211; It&#8217;s a user information lookup program<\/h3>\n<p>Finally you can get more information about user with the finger command.<\/p>\n<p><strong>finger -ls user-id<\/strong> &#8211; Above command will tell you linux user&#8217;s login name, real name, terminal name, write status, home directory, home phone number, login shell, mail status, and the contents of the files .plan .project .pgpkey .forward<\/p>\n<p>So, ultimately I got the Right Person and later came to know he was in my &#8220;home&#8221; to do &#8220;right&#8221; tasks only.<br \/>\nI don&#8217;t know if any other way is available but this is one of the way I approched.<\/p>\n","protected":false},"excerpt":{"rendered":"I&#8217;m using Redhat Linux (RHEL 5). Yesterday I saw a bit suspicious activities and data movements under my &#8220;home&#8221; (\/home\/username directory). I thought of investigate \/ audit through my Redhat\u00a0linux&hellip;\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6],"tags":[241,59,244,426,242,243],"class_list":{"0":"post-554","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-technical","7":"tag-audit-linux","8":"tag-linux","9":"tag-login-history","10":"tag-technical","11":"tag-who-did-that","12":"tag-who-logged-in"},"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/comments?post=554"}],"version-history":[{"count":2,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":2294,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/554\/revisions\/2294"}],"wp:attachment":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/media?parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/categories?post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/tags?post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}