On Sat, 12 Oct 2002 12:29:19 -0300 Sergio Tschá Wanderley <[EMAIL PROTECTED]> wrote:
> I´m in trouble trying to figure out the meaning of the following > message in /var/log/messages on my Red Hat 7.2 (kernel > 2.4.7-10custom) server: > > Oct 8 06:37:46 server su(pam_unix)[17201]: session opened for user > root by (uid=0) Oct 8 06:37:51 server su(pam_unix)[17201]: session > closed for user root > > First I thought It was something related to a root login on the > console or an user opening a root session but the message in that > case wouldn´t be like this one. Notice the missing username after > the "by" on the message. > > I´m really don´t know where this came from. > > I would check the /etc/passwd file for changes; user with uid 0 and the file timestamp. Remember, the /var/log/messages can be altered ('by <user>' deleted.) You might also 'grep' through the /var/log/messages, .1, .2,.3,.4 and /var/log/secure, etc., for pam_unix entries of a similar nature. Best, Tom -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list