James Gray wrote:
On Sun, 6 Feb 2005 03:39 pm, Ricky wrote:
Hi All
is there a way to find out what user did without .history file ?
the user is using csh
cheers
R
Last can show you if they did any reboots.
Did they have root access?
For files, verify all your packages 'rpm -Va', which will determine whether their md5, size, etc has changed since install. Then look at the change time on those files.
For packages, rpm -qa --last will tell you if they installed anything, printing a list of when each package was installed by its date.
If there's DPKG equivalents of these, I'm sure someone will suggest them.
Mike
Not directly. You can imply what *might* have happened from the changes made. Best option is to install a key-logger. We use key-loggers on all our core *nix boxen mainly because there are a few people with root's password (7 or 8 senior admins - the rest get sudo). Root's .history file is a symlink to /dev/null. So we use a keylogger that sends all the keystrokes to another machine :) Sorta like remote syslog.
Google around - there are plenty of key-loggers for different platforms and they all have strengths and weaknesses.
Cheers,
James
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
