topic Re: log analysis in Operating System - HP-UX

log analysis

varian_1 — Fri, 04 Nov 2005 03:52:41 GMT

Hi,

On my HP-UX server 6 months back I have changed few kernel parameters.
But now when I checked I found few parameters are changed again.
Shutdownlog shows system is rebooted thru sam nearly 3 months back.
Can any one tell me how to check the following thru system logs;
>> when & who has changed these kernel parametres.

Thanks in advance ....
Regards

Varian

Re: log analysis

Muthukumar_5 — Fri, 04 Nov 2005 03:56:11 GMT

Are you having user history details? If the parameter is changed by command line using kmtune or kctune then, HISTFILE is only option.

By sam, then have to see sam log file.

-Muthu

Re: log analysis

Warren_9 — Fri, 04 Nov 2005 04:38:01 GMT

hi,

you've got the time of reboot, check the OLDsulog, OLDsyslog, last may give you some hint.

GOOD LUCK!!

Re: log analysis

Arunvijai_4 — Fri, 04 Nov 2005 04:48:36 GMT

Check your log rotation policy and check /var/adm/syslog/ folder for OLDsyslog.log

There are changes of getting that file back and its depends on your admin policy of log rotate.

-Arun

Re: log analysis

Bill Hassell — Fri, 04 Nov 2005 09:34:26 GMT

It's fairly easy: only root can change the parameters and rebuild the kernel. Now if untrained people have the root password, or worse, you have created additional UID=0 user accounts, you will have to look at the .sh_history file for each root user. The last command and sulog will tell you when suspicious users login. If tghe user ran sam to change the parameters, you can look at sam logs but these logs will state what wa done and when--not the name of the root user running sam. It's also possible that during the last reboot, someone decided to use vmunix.prev for the kernel which is the previous kernel.

With this type of a mystery, I would assume that system security has been compromised, or at the very least, too many people have the root password or root access.