security

[Michael Cronenworth]

Dustin Kempter wrote:
> we looked at the .bash_history file for postgres and see no entries for pg_ctl
> however we do see the service stop command in the root .bash_history file, but
> we have no
> timestamps in the bash_history file

Add this to a file in /etc/profile.d/mycustom.sh:

export HISTTIMEFORMAT="%F %r "

However, this will only catch future timestamps.


>
> Are there other log files we can leverage for this search?

The "last" command will present you with a list of logins that include user, 
time, and location (local or remote with IP address).

Unfortunately RHEL/CentOS do not have verbose logging by default so there is not 
much else to look at. SystemD (RHEL7) will have service start/stop logging so 
we're getting better.

Also, remember that things like ~/.bash_history are user-editable so they are 
not always reliable. If the user has root access they can change any log, too.