- Linux Training
- Desktop Tutorials
- Server Tutorials
|Check The History|
|Security - Server Security|
Check the root History File
The history file keeps a history of the last 500 commands or more of terminal commands. By typing the command:
The return should be similar to the following.
If the root history command is empty it may be time to be suspicious, unless of course the history was cleared on purpose. Typically a cracker will direct the history command to /dev/null in order to cover their tracks. One way to check this is to check the history file setup. Use the command:
The return should be something like the following:
If the outcome looks like this there are problems:
In the last example, the history file is getting dumped into /dev/null which means there will be no record of what a cracker is doing on the terminal.
It may be important to check other user history files as well, depending on who is actually using the system. A cracker could gain access to an account and before they actually gain root access may be using another user account for exploration and development purposes.
Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874