HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Where I should look
Operating System - HP-UX
1826214
Members
2542
Online
109691
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2004 03:55 PM
01-03-2004 03:55 PM
Where I should look
Dear all,
As a security administrator, I have just got the root password, after the production system administrator has returned it.
How can I know what they have done when they used the root password?
As a security administrator, I have just got the root password, after the production system administrator has returned it.
How can I know what they have done when they used the root password?
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2004 07:51 PM
01-03-2004 07:51 PM
Re: Where I should look
Wahab,
In these kinds of situations it is preferred to have some type of auditing tool already in place so that you can compare the system before and after the root password was given. Various tools include Tripwire, Power Broker, Logcheck, and even IDS/9000 can serve as an auditing tool.
If there isn't any kind of auditing tool in place, the first thing to look for is the command history file for root (ie: .sh_history). This will list all the commands that root executed.
You can also take a look at the syslog (/var/adm/syslog/syslog.log) and see what system changes took place in the time frame they had the password.
Also run pwck and grpck and also take a look at the password/group files for any suspicious entries.
Last but not least, check for any suid/sgid programs that may look suspicious:
# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ld {} \;
Hope all this helps!
-Hazem
In these kinds of situations it is preferred to have some type of auditing tool already in place so that you can compare the system before and after the root password was given. Various tools include Tripwire, Power Broker, Logcheck, and even IDS/9000 can serve as an auditing tool.
If there isn't any kind of auditing tool in place, the first thing to look for is the command history file for root (ie: .sh_history). This will list all the commands that root executed.
You can also take a look at the syslog (/var/adm/syslog/syslog.log) and see what system changes took place in the time frame they had the password.
Also run pwck and grpck and also take a look at the password/group files for any suspicious entries.
Last but not least, check for any suid/sgid programs that may look suspicious:
# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ld {} \;
Hope all this helps!
-Hazem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2004 06:58 PM
01-04-2004 06:58 PM
Re: Where I should look
Hi,
One more this to say insted of giving root password try to use sudo.
Things can be batter controlled.
Sunil
One more this to say insted of giving root password try to use sudo.
Things can be batter controlled.
Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2004 10:26 PM
01-04-2004 10:26 PM
Re: Where I should look
Also check the /etc/passwd file if it has any other user than root with the uid as "0".
Just a thought ..
-Karthik S S
Just a thought ..
-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2004 10:30 PM
01-04-2004 10:30 PM
Re: Where I should look
Hi
if you have worries about what may have happened while soemone had root access make sure you change the password so they cannot revisit
some very worth while reading is hp-ux 11i security by Chris wong www.hp.com/hpbooks
:-) John.
if you have worries about what may have happened while soemone had root access make sure you change the password so they cannot revisit
some very worth while reading is hp-ux 11i security by Chris wong www.hp.com/hpbooks
:-) John.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP