Mailinglist Archive: opensuse (3531 mails)
| < Previous | Next > |
Re: [opensuse] errant 'who' behavior
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Wed, 3 Jan 2007 07:38:39 -0800
- Message-id: <200701030738.39540.rschulz@xxxxxxxxx>
On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
> Hi All,
>
> This is actually a two part question. a) Is there a 100%
> proof-positive way to determine if someone has previously broken into
> a system via ssh... before remote root logins were disabled and a
> weak password replaced... and b) how do I correct the apparent
> inability of 'who', given any parameters, to return something more
> informative than just a prompt?
>
> ...
>
> All ideas/hints gratefully appreciated and a happy new year to all of
> you!
I think you're looking for "last," which produces human-readable reports
of the history of logins. The file it uses, /var/log/wtmp, is subject to
log rotation (older copies are kept compressed in /var/log) so you don't
get unlimited history without some manual intervention to access older
parts of the history archived in the compressed wtmp files.
The wtmp file also records reboots and crashes:
% last reboot
reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47)
reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36)
reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58)
wtmp begins Wed Jul 12 15:21:25 2006
If you have a limited complement of authorized users, you can do
something like this:
% 19761> last |egrep -v 'XYZ|QRS|reboot'
wtmp begins Wed Jul 12 15:21:25 2006
Not even a single crash or unwanted visitor!
> regards,
>
> Carl
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
> Hi All,
>
> This is actually a two part question. a) Is there a 100%
> proof-positive way to determine if someone has previously broken into
> a system via ssh... before remote root logins were disabled and a
> weak password replaced... and b) how do I correct the apparent
> inability of 'who', given any parameters, to return something more
> informative than just a prompt?
>
> ...
>
> All ideas/hints gratefully appreciated and a happy new year to all of
> you!
I think you're looking for "last," which produces human-readable reports
of the history of logins. The file it uses, /var/log/wtmp, is subject to
log rotation (older copies are kept compressed in /var/log) so you don't
get unlimited history without some manual intervention to access older
parts of the history archived in the compressed wtmp files.
The wtmp file also records reboots and crashes:
% last reboot
reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47)
reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36)
reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58)
wtmp begins Wed Jul 12 15:21:25 2006
If you have a limited complement of authorized users, you can do
something like this:
% 19761> last |egrep -v 'XYZ|QRS|reboot'
wtmp begins Wed Jul 12 15:21:25 2006
Not even a single crash or unwanted visitor!
> regards,
>
> Carl
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |