Commands log format - Has the commands log been edited?

safedba

New Member
Joined
Jan 19, 2021
Messages
3
Reaction score
0
Credits
27
I see"

Jan 15 08:23:13 server bob root 3281 ./script_to_run

Later, today I see

Jan 19 08:13:53 server pat root 3281 ./script_to_run

I don't know what 3281 is, but I'm suspicious, because it says I did this thing, but I didn't "I" being the user "pat" I'm not able to find a complete explanation of the format online.
 


Try running
Code:
users
and see what is returned
 
That just shows me who's logged on... I'm just suspicious that another admin doctored the log.

I have an entry for a command listed as occurring on the 14th listed as being done on the 19th as well.
 
My first thought was a PID, but it seems unlikely (maybe not impossible) for the same PID to be used on different days by different root users.

Another thought is port number. Can you determine if 3281 is meaningful in any way to ./script_to_run? These are the common elements (plus root) from what you provided. Maybe a non-default ssh port?

My .bash_history is not formatted this way, so I can't guess what "command log" you are using. You might enlighten us with your OS, and what log you are viewing. Maybe we could help find the format if we knew more.
 
Last edited:
Where are you getting this log from and what version of Linux are you using?
 
My first thought was a PID, but it seems unlikely (maybe not impossible) for the same PID to be used on different days by different root users.

Another thought is port number. Can you determine if 3281 is meaningful in any way to ./script_to_run? These are the common elements (plus root) from what you provided. Maybe a non-default ssh port?

My .bash_history is not formatted this way, so I can't guess what "command log" you are using. You might enlighten us with your OS, and what log you are viewing. Maybe we could help find the format if we knew more.

I don't think it's a port number. This is RHEL7 and I'm not certain what process is updating the log. I'll see if it's auditd tomorrow. The standard isn't to name it commands.log, but I can't find anything in RHEL7 which defaults to this.

I'm just a bit frustrated, because I don't want to accuse this linux guy of forging the logs, because that would be a firing offense, but I can't let this slide.
 
I'm sorry I can't be of much help (I'm in over my head already). I glanced at the official RHEL7 Sysadmin's Guide, Chapter 23. Viewing and managing log files, and the best I can get from that is to look through your /etc/rsyslog.conf file for a clue. It may have a template or filter defined for a custom commands.log... and perhaps it would identify what 3281 may represent. Or maybe the documentation could steer you in a better direction.

Or maybe one of the folks here can be more help. Our admin @Rob is pretty familiar with Redhat, and @KGIII who has already joined this thread. Also @dos2unix is a Redhat sysadmin, I think. Maybe others as well. But not everyone is on here everyday, and you might need patience to hear from them.

Good luck!
 
Moving this to Linux Security where it is more appropriate. @stan and @Vrai please note.

G'day @safedba and welcome to linux.org

Do take a look through the subforums before you post, won't you? You stand a better chance of a qualified reply with the correct placement of a Thread. :)

@f33dm3bits is also qualified in Redhat, so these people will be along to take a look at the issue when they can.

Cheers

Chris Turner
wizardfromoz
 
I don't know what 3281 is, but I'm suspicious, because it says I did this thing, but I didn't "I" being the user "pat" I'm not able to find a complete explanation of the format online.
That output looks like output from ls -l, the 3281 is the size of the file in bytes. Let me show you:
Code:
[root@rhel8 ~]# touch example.txt
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 0 Jan 20 09:13 example.txt
[root@rhel8 ~]# echo "Hello World" >> example.txt 
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 12 Jan 20 09:13 example.txt
[root@rhel8 ~]# echo "Hello World2" >> example.txt 
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 25 Jan 20 09:13 example.txt
[root@rhel8 ~]# echo "Hello World3" >> example.txt 
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 38 Jan 20 09:13 example.txt
[root@rhel8 ~]# echo "Hello World4" >> example.txt 
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 51 Jan 20 09:14 example.txt
[root@rhel8 ~]# echo "Hello World5" >> example.txt 
[root@rhel8 ~]# ls -l example.txt 
-rw-r--r--. 1 root root 64 Jan 20 09:14 example.txt
 
That just shows me who's logged on... I'm just suspicious that another admin doctored the log.

I have an entry for a command listed as occurring on the 14th listed as being done on the 19th as well.
Yes. But we had to start somewhere as there in not enough information provided.

Where are you getting this log from and what version of Linux are you using?
This would be a very good place to start also.
I don't think it's a port number. This is RHEL7 and I'm not certain what process is updating the log. I'll see if it's auditd tomorrow. The standard isn't to name it commands.log, but I can't find anything in RHEL7 which defaults to this.

I'm just a bit frustrated, because I don't want to accuse this linux guy of forging the logs, because that would be a firing offense, but I can't let this slide.
It would seem that you really do not have enough information to start making accusations.
Step by step through a process of elimination is how I would approach it.
 

Members online


Latest posts

Top