Friday, July 20, 2007

Who rebooted the Linux system

The availability of details is depended on the syslog's settings, but in any case you can do following:

1. Get the boot time. You can get it by couple of ways, as you can type "uptime" commands and count back for how long it was on, or you can go to
/var/log and see the boot.log file, or in the same directory see "messages" file and look for "syslog started" time stamp.

2. type "last" command and see who were the uses logged in at the time when system had been rebooted

3. See these users shell history files in ~username/.bash_history for su or sudo commands.

All the aforesaid makes sense ONLY if you have proper access to root account and no one but root user knows the root's password. If you guys share the root password it is almost impossible to find who had rebooted the system. The only chance if you had systlog set to record network events. You can see in /var/log, messages and security logs for connections with a time-stamp kept alive around the reboot. Given your DHCP is long leasing or static IPs were used/or logs entries resolve DNS you can get the list of suspects. Then you proceed to step 3.

Have in mind that if someone INTENTIONALLY reboot the system and had complete root access and posses some skills, it is not only impossible to track, he/she may forge logs in any desirable way.

DO NOT SHARE ROOT ACCESS! USE "SUDO" TO PROTECT ROOT ACCOUNT!



Curtsey : http://www.unix.com/unix-for-dummies-question-and-answers/27272-how-to-identify-who-rebooted-the-linux-server.html

No comments: