Note also that /var/log/wtmp will have potentially useful information. Do a 'who -a' to access the entries which should provide you a list of logins and should give you a hint of who was logged in when the system was shut down.
Once you have that do a "strings" on their shell history files (I hope it's configured right) so that you can see who did what. In terms of forensics, this has tended to be a good place for me to start. Oh, yeah, I hope you don't allow people to log in as root and instead have people log in as regular users and use sudo... which means that /var/log/sulog can speak to you as well. And that's just things that can happen w/i linux. If someone forced a logoff of the virtual machine... well, that'll have to be traced withing z/VM, won't it? -soup -------------------- John R. Campbell, Speaker to Machines (GNUrd) (813) 356-5322 (t/l 697) Adsumo ergo raptus sum MacOS X: Because making Unix user-friendly was easier than debugging Windows. Red Hat Certified Engineer (#803004680310286) IBM Certified: IBM AIX 4.3 System Administration, System Support ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
