HPE Community
Operating System - HP-UX
1753706 Members
4713 Online
108799 Solutions
New Discussion юеВ

Re: How to find out who unconvert the system?

 
SOLVED
Go to solution
Crystal_1
Frequent Advisor

тАО11-12-2002 08:20 AM

тАО11-12-2002 08:20 AM

How to find out who unconvert the system?

Hi, guys,

I trusted the system before. However, today I found the system was untrusted.... because somehow reasons, I couldn't find relevant message from the syslog.log file. Instead, I found out from the samlog as follows:

Entering Task Manager with task TS_CONVERT_TO_NONTRUSTED.
@!@8@1026231267@0
Performing task "Convert to Non-Trusted System": converting back to a non-tr
usted system
@!@8@1026231267@0

Please correct me if I am wrong:

1. I found out the message above, and tracked the date and time..

2. Used the last command to find out who logged in that date at that time...

3. Then that's the person who did it...

Thanks,

Crystal

0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

тАО11-12-2002 08:29 AM

тАО11-12-2002 08:29 AM

Solution

Re: How to find out who unconvert the system?

That may get you close, but the system can only be (un)trusted by someone logged in as root, or with an id that has a uid of 0.

I would also check and see if anyone logged in, did an 'su -' and query that person. Does anyone else have the root passwd? If so, I would also change the root passwd and see who complains.
Reply
Darrell Allen
Honored Contributor

тАО11-12-2002 08:31 AM

тАО11-12-2002 08:31 AM

Re: How to find out who unconvert the system?

Also check /var/adm/sulog to see who may have su'ed to root instead of logging in as root.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Martin Johnson
Honored Contributor

тАО11-12-2002 09:10 AM

тАО11-12-2002 09:10 AM

Re: How to find out who unconvert the system?

Also check the .sh_history files.

HTH
Marty
Reply
Michael Tully
Honored Contributor

тАО11-12-2002 03:23 PM

тАО11-12-2002 03:23 PM

Re: How to find out who unconvert the system?

Change the root password straight away.
Also look at implementing 'sudo'. This will assist you in giving only certain commands to different users where possible. The other guys have assisted you in tracking down the culprit(s). You might look at who *really* needs shell access and who does not, as well setting up restricted shells.

Here's the link for 'sudo'
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Anyone for a Mutiny ?
Reply
Rory R Hammond
Trusted Contributor

тАО11-13-2002 09:36 AM

тАО11-13-2002 09:36 AM

Re: How to find out who unconvert the system?

A time stamp from the samlog
and a who -a /etc/wtmp
might give you a clue who the
culprit was.


If you have accounting turned
/usr/sbin/acctcom
(man acctcom)
will give you information on
tty ports, time stamps of who was logged in. Cross Referencing this information with who -a /etc/wtmp should help you find the person/s.

If you do have accounting on, and the problem happened several days befor you might have to recover pacct files to search.

Good Luck
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.