HPE Community
Operating System - HP-UX
1752822 Members
4440 Online
108789 Solutions
New Discussion юеВ

find out who used kill command

 
pa8700
Regular Advisor

тАО03-01-2010 07:19 AM

тАО03-01-2010 07:19 AM

find out who used kill command

Hi can some body help me to find out who used a kill command with timestamp in the past 5 days.
0 Kudos
Reply
10 REPLIES 10
Prabhi
Advisor

тАО03-01-2010 07:24 AM

тАО03-01-2010 07:24 AM

Re: find out who used kill command

You can check in the syslog output
0 Kudos
Reply
Torsten.
Acclaimed Contributor

тАО03-01-2010 07:24 AM

тАО03-01-2010 07:24 AM

Re: find out who used kill command

This could be hard. Any auditing software running? You can grep all the command history files (shell dependent), but you will not find a timestamp. Maybe the application wrote to syslog? If this kill command requires root, than you can be sure somebody was root - ask yourself who has this privilege ...

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО03-01-2010 07:36 AM

тАО03-01-2010 07:36 AM

Re: find out who used kill command

Hi

This is the reason for sudo, or, adding 'script > output_$DATE' file to the .profile of every user, root leaves no footprint and hasn't since it's creation.

If you add in the script command then users will have to exit twice, once for the script command and once to log off.

You'll also have to tinker with the permissions of the output_$DATE file so each user had write only privilges under user, but only root can modify or delete the file. Start with 702 and adjust from there based upon ownership, which should be root, and maybe setgid on the directory.
Support Fatherhood - Stop Family Law
0 Kudos
Reply
T. M. Louah
Esteemed Contributor

тАО03-02-2010 05:14 AM

тАО03-02-2010 05:14 AM

Re: find out who used kill command

tricks presented above should help, Some system admin tools allows enabling of trusting/Auditing to help you track down who did what/when. Unix provides security mechanisms to prevent unauthorized users from killing other processes. For kill signal to be sent to a running process the user "owning shell where kill is sent from" & "process to be killed" should be the same or a root level user.
without tools or some sysadmin creativity, one would check history file in each user's home directory to see what commands were used at best with no date/time stamp!! now what if you have more than one root user? headache.
t#
Little learning is dangerous!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО03-02-2010 06:38 AM

тАО03-02-2010 06:38 AM

Re: find out who used kill command

It sounds like a program stopped running unexpectedly. kill is only one way for a program to terminate. It may have terminated due to a program error or bug, or it may have run out of memory or other resource and rather than politely describing the problem in syslog.log, it simply terminated or crashed.

So are these programs owned by root? If so, only someone with a root login can kill these programs. If you have setup .sh_history correctly then anything root types in the shell (like kill 1234) will be logged.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-02-2010 06:57 AM

тАО03-02-2010 06:57 AM

Re: find out who used kill command

Shalom,

It was me.

I could not help myself.

Check your users .sh_history logs.

If that is set up.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Michael Sillers
Trusted Contributor

тАО03-02-2010 07:47 AM

тАО03-02-2010 07:47 AM

Re: find out who used kill command

I've done something with rm that might help here. It won't help with previous kill commands but will in the future...

I've renamed rm to rm.bak then replaced it with a script that logs the user and file removed then calls the renamed rm command.

##########################################
removelog="/var/log/remove.log"
usablepty=$(pty | sed 's/.....//')
rmuser=$(who | grep ${usablepty})

if [ "$LOGNAME" = "root" ] ; then
echo "$(date): ${rmuser}: $@" >> $removelog
fi

/bin/rm.bak "$@"

exit 0
########################################
We have the system set up so you can't log in as root, only su to root so your original login name is the one that is logged.
0 Kudos
Reply
pa8700
Regular Advisor

тАО03-04-2010 06:20 AM

тАО03-04-2010 06:20 AM

Re: find out who used kill command

Great replays guys ..

Below is the error Provided by Oracle DBA and claims that somebody killed the process.. so the DB crashed....I needed to find out something..


Shutting down instance (abort)
License high water mark = 115
Instance terminated by USER, pid = 10448
Sun Feb 21 19:50:32 2010

Sun Feb 21 19:50:50 2010
ALTER DATABASE OPEN
ORA-1113 signalled during: ALTER DATABASE OPEN...
Shutting down instance: further logons disabled
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО03-04-2010 09:25 AM

тАО03-04-2010 09:25 AM

Re: find out who used kill command

> Shutting down instance (abort)
> License high water mark = 115
> Instance terminated by USER, pid = 10448
> Sun Feb 21 19:50:32 2010

> Sun Feb 21 19:50:50 2010
> ALTER DATABASE OPEN
> ORA-1113 signalled during: ALTER DATABASE OPEN...
> Shutting down instance: further logons disabled

Well, you do have some good information. The pid (10448) is of no value since it does not indicate the user name (but probably it was root or oracle). However, you do have the time for the termination: Feb 21 19:50:32. Now use the last command to see who was logged in at that time:

last -R | more

Also look at the sulog in /var/adm/sulog in case someone used su to become root. If you have sudo on your system, look in /var/adm/syslog/syslog.log around time listed above. Since Oracle is probably important, you may have to immediately revoke all root access as well as oracle administrator access until you find the guilty party. It may have been a simple error by a root user trying to kill a process and used the wrong PID -- but the consequences are still bad.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.