- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- find out who used kill command
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2010 07:19 AM
тАО03-01-2010 07:19 AM
find out who used kill command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2010 07:24 AM
тАО03-01-2010 07:24 AM
Re: find out who used kill command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2010 07:24 AM
тАО03-01-2010 07:24 AM
Re: find out who used kill command
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2010 07:36 AM
тАО03-01-2010 07:36 AM
Re: find out who used kill command
This is the reason for sudo, or, adding 'script > output_$DATE' file to the .profile of every user, root leaves no footprint and hasn't since it's creation.
If you add in the script command then users will have to exit twice, once for the script command and once to log off.
You'll also have to tinker with the permissions of the output_$DATE file so each user had write only privilges under user, but only root can modify or delete the file. Start with 702 and adjust from there based upon ownership, which should be root, and maybe setgid on the directory.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2010 05:14 AM
тАО03-02-2010 05:14 AM
Re: find out who used kill command
without tools or some sysadmin creativity, one would check history file in each user's home directory to see what commands were used at best with no date/time stamp!! now what if you have more than one root user? headache.
t#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2010 06:38 AM
тАО03-02-2010 06:38 AM
Re: find out who used kill command
So are these programs owned by root? If so, only someone with a root login can kill these programs. If you have setup .sh_history correctly then anything root types in the shell (like kill 1234) will be logged.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2010 06:57 AM
тАО03-02-2010 06:57 AM
Re: find out who used kill command
It was me.
I could not help myself.
Check your users .sh_history logs.
If that is set up.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2010 07:47 AM
тАО03-02-2010 07:47 AM
Re: find out who used kill command
I've renamed rm to rm.bak then replaced it with a script that logs the user and file removed then calls the renamed rm command.
##########################################
removelog="/var/log/remove.log"
usablepty=$(pty | sed 's/.....//')
rmuser=$(who | grep ${usablepty})
if [ "$LOGNAME" = "root" ] ; then
echo "$(date): ${rmuser}: $@" >> $removelog
fi
/bin/rm.bak "$@"
exit 0
########################################
We have the system set up so you can't log in as root, only su to root so your original login name is the one that is logged.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-04-2010 06:20 AM
тАО03-04-2010 06:20 AM
Re: find out who used kill command
Below is the error Provided by Oracle DBA and claims that somebody killed the process.. so the DB crashed....I needed to find out something..
Shutting down instance (abort)
License high water mark = 115
Instance terminated by USER, pid = 10448
Sun Feb 21 19:50:32 2010
Sun Feb 21 19:50:50 2010
ALTER DATABASE OPEN
ORA-1113 signalled during: ALTER DATABASE OPEN...
Shutting down instance: further logons disabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-04-2010 09:25 AM
тАО03-04-2010 09:25 AM
Re: find out who used kill command
> License high water mark = 115
> Instance terminated by USER, pid = 10448
> Sun Feb 21 19:50:32 2010
> Sun Feb 21 19:50:50 2010
> ALTER DATABASE OPEN
> ORA-1113 signalled during: ALTER DATABASE OPEN...
> Shutting down instance: further logons disabled
Well, you do have some good information. The pid (10448) is of no value since it does not indicate the user name (but probably it was root or oracle). However, you do have the time for the termination: Feb 21 19:50:32. Now use the last command to see who was logged in at that time:
last -R | more
Also look at the sulog in /var/adm/sulog in case someone used su to become root. If you have sudo on your system, look in /var/adm/syslog/syslog.log around time listed above. Since Oracle is probably important, you may have to immediately revoke all root access as well as oracle administrator access until you find the guilty party. It may have been a simple error by a root user trying to kill a process and used the wrong PID -- but the consequences are still bad.
Bill Hassell, sysadmin