Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Randall R Schulz <rschulz@xxxxxxxxx>
  • Date: Wed, 3 Jan 2007 07:38:39 -0800
  • Message-id: <200701030738.39540.rschulz@xxxxxxxxx>
On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
> Hi All,
>
> This is actually a two part question. a) Is there a 100%
> proof-positive way to determine if someone has previously broken into
> a system via ssh... before remote root logins were disabled and a
> weak password replaced... and b) how do I correct the apparent
> inability of 'who', given any parameters, to return something more
> informative than just a prompt?
>
> ...
>
> All ideas/hints gratefully appreciated and a happy new year to all of
> you!

I think you're looking for "last," which produces human-readable reports
of the history of logins. The file it uses, /var/log/wtmp, is subject to
log rotation (older copies are kept compressed in /var/log) so you don't
get unlimited history without some manual intervention to access older
parts of the history archived in the compressed wtmp files.

The wtmp file also records reboots and crashes:

% last reboot
reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25)
reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47)
reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36)
reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58)

wtmp begins Wed Jul 12 15:21:25 2006


If you have a limited complement of authorized users, you can do
something like this:

% 19761> last |egrep -v 'XYZ|QRS|reboot'

wtmp begins Wed Jul 12 15:21:25 2006


Not even a single crash or unwanted visitor!


> regards,
>
> Carl


Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References