Showing results for 
Search instead for 
Did you mean: 

How to check security logs

gb karki
Frequent Advisor

How to check security logs


Some body has changed passwd policy from /etc/default/security with out enable the shadow file. How to check who has changed this.

Steven E. Protter
Exalted Contributor

Re: How to check security logs


First check permissions on the file.

I think you will find that only root can change /etc/default/security

So someone either directly logged on as root, which you can see in /var/adm/syslog/syslog.log

Or someone did an su to root which shows up in the same file.

You can check the time stamp on the security file and match it up with su entries and such.

I would immediately change the root password and check the systems for back doors that elevate normal users to root access.

Steven E Protter
Owner of ISN Corporation
gb karki
Frequent Advisor

Re: How to check security logs

I checked in /var/adm/syslog/syslog.log but i'm not getting any messages.

B. Hulst
Trusted Contributor

Re: How to check security logs

1. Check the timestamp of the file. When was it edited / saved?

2. Check with the command: last
who was logged in around that time of saving/ editing of the timestamp of step 1.

Ordinary users cannot edit this file but root or 'related to a root group' users can get more privileges to edit this file.

From the last command output you find the hostname or ip address where that root user came from. :-)
Kapil Jha
Honored Contributor

Re: How to check security logs

DO u have any logging software like power broker,sudo....check for wtmp file but as said above normally only root can change the file , so you have to find out what time root logged into server or other users at the same time who can potntionally do a u have sudo defined.
Sysylog.log would not give u much information may be except if root passwd was wrongly entered.

I am in this small bowl, I wane see the real world......