On 10/10/07, Sir June <[EMAIL PROTECTED]> wrote: > > # last > > webuser pts/0 10.6.56.17 Tue Oct 9 13:29 - 19:23 (05:53) > reboot system boot 2.4.21-47.0.1.EL Tue Oct 9 13:27 (1+00:04) > webuser pts/1 nothing.domain.c Tue Oct 9 12:47 - 12:49 (00:02) > so is this via reboot command from the cli? > > This output tells you that probably webuser was the one who did a system reboot or shutdown but it won't tell you what method he used, the user reboot automatically logs in whenever there is a system restart.
The best way to audit unauthorized system restarts are: 1. To disable the three finger salute (ctrl+alt+del) by editing the /etc/inittab then commenting out this line: # ca::ctrlaltdel:/sbin/shutdown -t3 -r now 2. Secure the box in a room or some form of enclosure so that nobody can press the restart button. As for the OS restarting by itself, check the logs, e.g., dmesg, you can determine an unclean shutdown just by looking at dmesg. You can also disable the reboot and poweroff command or have the commands executable only by root by using chmod. HTH -- http://jangestre.wordpress.com
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
