SLUG Mailing List Archives
Re: [SLUG] forensics work without history file
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] forensics work without history file
- From: Mike MacCana <mikem@xxxxxxxxxxxx>
- Date: Mon, 07 Feb 2005 09:38:48 +1100
- User-agent: Mozilla Thunderbird (X11/20041216)
James Gray wrote:
On Sun, 6 Feb 2005 03:39 pm, Ricky wrote:
is there a way to find out what user did without .history file ?
the user is using csh
Last can show you if they did any reboots.
Did they have root access?
For files, verify all your packages 'rpm -Va', which will determine
whether their md5, size, etc has changed since install. Then look at the
change time on those files.
For packages, rpm -qa --last will tell you if they installed anything,
printing a list of when each package was installed by its date.
If there's DPKG equivalents of these, I'm sure someone will suggest them.
Not directly. You can imply what *might* have happened from the changes
made. Best option is to install a key-logger. We use key-loggers on all
our core *nix boxen mainly because there are a few people with root's
password (7 or 8 senior admins - the rest get sudo). Root's .history file
is a symlink to /dev/null. So we use a keylogger that sends all the
keystrokes to another machine :) Sorta like remote syslog.
Google around - there are plenty of key-loggers for different platforms and
they all have strengths and weaknesses.