HPE Community
Operating System - HP-UX
1835059 Members
1882 Online
110073 Solutions
New Discussion

Shutdown Trace

 
Ricky_2
Frequent Advisor

‎04-13-2003 11:34 PM

‎04-13-2003 11:34 PM

Shutdown Trace

Hi, I've a 10.20 system that was rebooted twice a couple of days ago. I'm trying to find out who rebooted it. The wtmp didn't show anyone logging in and btmp also didn't show any failed login attempts during that period. The only activity was logged in sulog where someone su-ed successfully from root to oracle on terminal tty??. I have "console" in /etc/securetty. Can someone tell me what tty?? meant and is there any other trace that I can looked at? /sbin/shutdown has permission 4555, is that correct? Won't it mean that anyone can shutdown the machine? Thanks.
0 Kudos
Reply
7 REPLIES 7
Olav Baadsvik
Esteemed Contributor

‎04-13-2003 11:47 PM

‎04-13-2003 11:47 PM

Re: Shutdown Trace


Hello,

Check the file /etc/shutdown.log

Also check the file /etc/shutdown.allow to
see if users other than root are give the
permission to shutdown the machine.

Olav
0 Kudos
Reply
Olav Baadsvik
Esteemed Contributor

‎04-13-2003 11:54 PM

‎04-13-2003 11:54 PM

Re: Shutdown Trace

Hi again.

Sorry, the name of the file is
/etc/shutdownlog

Olav
0 Kudos
Reply
Ricky_2
Frequent Advisor

‎04-14-2003 12:22 AM

‎04-14-2003 12:22 AM

Re: Shutdown Trace

Hi Olav, thanks for the reply. /etc/shutdown.allow is a zero length file, so I assume only root is allowed to shutdown. /var/adm/shutdownlog only managed to log the shutdown date and time. There's not much info there too.
0 Kudos
Reply
Bill McNAMARA_1
Honored Contributor

‎04-14-2003 12:51 AM

‎04-14-2003 12:51 AM

Re: Shutdown Trace

try the last command to identify who was logged in.
It works for me (tm)
0 Kudos
Reply
Bill McNAMARA_1
Honored Contributor

‎04-14-2003 12:52 AM

‎04-14-2003 12:52 AM

Re: Shutdown Trace

does the /var/adm/syslog/syslog.log not tell you who su'd to root?
It works for me (tm)
0 Kudos
Reply
Ricky_2
Frequent Advisor

‎04-14-2003 01:06 AM

‎04-14-2003 01:06 AM

Re: Shutdown Trace

Hi Bill, thanks for the reply. Nope, "last" does not show any user logging into the system immediately before the shutdown. syslog.log was overwritten because the system was rebooted twice. Do you think that root access was gained from hard resetting the system, thereby explaining why no logins were captured in wtmp? Thanks.
0 Kudos
Reply
Decio Miname
Frequent Advisor

‎04-15-2003 04:28 AM

‎04-15-2003 04:28 AM

Re: Shutdown Trace

Looks like someone is playing games with you...
This could help in some environments, you have to check if that is your case. Check the change date/time of the users' history files (typically .sh_history). That would give you an idea of who was on at that time. Probably you have to check that on backups, because anyone that has logged in since then have now a newer date/time on its history file.
This is not the best way to look for what you want, but it is better than nothing since the "right" files provided no useful information.
BTW, I've added a startup script on all my servers to save the OLDsyslog.log file at system startup time. For many cases, two reboots is a small number to miss the syslog information.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.