Hi All, This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt? Copied & pasted examples: (note: root has logged into console tty1 after the user has logged into his desktop on tty7, then root has logged in again via shell on the user's desktop.) as user:
carl@linux:~> who carl@linux:~>
carl@linux:~> who -a carl@linux:~>
carl@linux:~> who -m carl@linux:~>
carl@linux:~> who -u carl@linux:~>
as root:
linux:~ # who linux:~ #
linux:~ # who -a linux:~ #
linux:~ # who -m linux:~ #
linux:~ # who -u linux:~ #
Additional info:
linux:~ # which who /usr/bin/who
linux:~ # l /usr/bin/who -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*
linux:~ # file /usr/bin/who /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
All ideas/hints gratefully appreciated and a happy new year to all of you! regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org