SLUG Mailing List Archives - Re: [SLUG] forensics work without history file

To: slug@xxxxxxxxxxx
Subject: Re: [SLUG] forensics work without history file
From: Mike MacCana <mikem@xxxxxxxxxxxx>
Date: Mon, 07 Feb 2005 09:38:48 +1100
User-agent: Mozilla Thunderbird (X11/20041216)

James Gray wrote:

On Sun, 6 Feb 2005 03:39 pm, Ricky wrote:

Hi All

is there a way to find out what user did without .history file ?

the user is using csh

cheers
R

Last can show you if they did any reboots.

Did they have root access?

For files, verify all your packages 'rpm -Va', which will determinewhether their md5, size, etc has changed since install. Then look at thechange time on those files.

For packages, rpm -qa --last will tell you if they installed anything,printing a list of when each package was installed by its date.


If there's DPKG equivalents of these, I'm sure someone will suggest them.

Mike

Not directly. You can imply what *might* have happened from the changesmade. Best option is to install a key-logger. We use key-loggers on allour core *nix boxen mainly because there are a few people with root'spassword (7 or 8 senior admins - the rest get sudo). Root's .history fileis a symlink to /dev/null. So we use a keylogger that sends all thekeystrokes to another machine :) Sorta like remote syslog.
Google around - there are plenty of key-loggers for different platforms andthey all have strengths and weaknesses.
Cheers,

James

Follow-Ups:
- Re: [SLUG] forensics work without history file
  - From: Peter Chubb

References:
- [SLUG] forensics work without history file
  - From: Ricky
- Re: [SLUG] forensics work without history file
  - From: James Gray

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] Two concurrent Gnome Desktops?
Next by Date: Re: [SLUG] Two concurrent Gnome Desktops?
Previous by thread: Re: [SLUG] forensics work without history file
Next by thread: Re: [SLUG] forensics work without history file