On Sat, 12 Oct 2002 12:29:19 -0300
Sergio Tschá Wanderley <[EMAIL PROTECTED]> wrote:
> I´m in trouble trying to figure out the meaning of the following
> message in /var/log/messages on my Red Hat 7.2 (kernel
> 2.4.7-10custom) server:
>
> Oct 8 06:37:46 server su(pam_unix)[17201]: session opened for user
> root by (uid=0) Oct 8 06:37:51 server su(pam_unix)[17201]: session
> closed for user root
>
> First I thought It was something related to a root login on the
> console or an user opening a root session but the message in that
> case wouldn´t be like this one. Notice the missing username after
> the "by" on the message.
>
> I´m really don´t know where this came from.
>
>
I would check the /etc/passwd file for changes; user with uid 0
and the file timestamp. Remember, the /var/log/messages can be altered
('by <user>' deleted.)
You might also 'grep' through the /var/log/messages, .1, .2,.3,.4
and /var/log/secure, etc., for pam_unix entries of a similar nature.
Best,
Tom
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
