Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A few linux auditing questions



I am running 64-bit Fedora 10 and 12 (and yes, I know they are both
old versions, but I don't have the ability, at the moment, to upgrade
them, so I need to work with what I have).

These machines are part of a NIS network and do NOT have SELinux enabled.

A few questions to help educate me:

- If I run aureport -i -l -ts this-week -te this-week ? I sometimes
get a resulting username of "unknown". ? /var/yp is up-to-date and
/etc/passwd shows no unusual entries for the NIS server nor any of the
clients. ? ?What might cause the 'unknown' entries?

- In /etc/pam.d/system-auth what is the function of shadow, I think on
one of the password lines

- If I type history in bash, I get a listing of commands entered, but
no corresponding date/time stamps. ? ?I did recently learn about the
history timestamp bash variable, but if I export it, it will show me
the history commands with a date/time stamp of _now_ (when I exported
it). ? Is there _any_ way to see when the command was entered, or is
it a lost cause?

- As a followup to history, if chkconfig _whaterver_ on/off was typed
(say chkconfig auditd on or off) ?where is the best place to see
_when_ it might have been entered? ? ?I looked in /var/log/messages
but it was not readily apparent.

Thanks.

Scott





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org