On Tue, Jun 11, 2013 at 11:51 AM, Howard White <[email protected]> wrote: > Have a client whose login has disappeared. I didn't do it nor do we know > who would know _how_ much less do it. > > Is there a common log that tracks adds, changes or deletes to /etc/passwd?
In a word, no, but this apparent problem can be solved with a policy requirement to never login as root or have a root shell, but rather to always use 'sudo' to do obtain root privileges on each command. Every command prefixed with 'sudo' is logged to the system log, and while you might not able to discover exactly what each person who edited /etc/passwd (and /etc/shadow) did, you can, however, discover who and when, which is usually enough. -Tilghman -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
