SUMMARY: slam vs init 5

From: Kain, Becki (B.) (bkain1@ford.com)
Date: Mon May 08 2000 - 16:27:07 CDT


My question:
I have this sort of forensics issue to deal with. I need to prove that a
set of 2.6 boxes were slammed instead of being properly shut down. I have
tried looking at the last output, but I'm looking for any other ideas on how
I'd show this, beyond a doubt.

thanks to all who helped!

Unixboy@aol.com
James Coby [james.coby@veritas.com]
Wallie Leung [wallie@us.cibc.com]
Lee, Annette [Annette_Lee@bmc.com] - (and yes, a healthy dose of sys admin
outrage is good once in a while :-) )
Brown, Melissa [BrownM@fhu.disa.mil]
vogelke@c17mis.region2.wpafb.af.mil
Mike Evans [mevans@inficad.com]
Rick Francis [rfrancis@mindspring.com]
Jay Lessert [jayl@latticesemi.com]
Drexx Laggui [drexx@pacific.net.sg]
Myles, Anita CECOM SEC LSSC CENCOR [mylesa@ST-LOUIS-EXCH01.army.mil]
Viet_Q_Hoang [vhoang@lucent.com]
Salehi, Michael E [Mike.Salehi@usa.xerox.com]

This question is really a stumper. There is no sig 15 sent to
/var/adm/messages, at least not all the time. I was not around to see if an
fsck was needed or not at the boot up. This was an after the fact
investigation. I will turn savecore on and buy "PANIC! UNIX System Crash
Dump Analysis Handbook". Any files that would have been in the lost+found
would have been relinked on the reboot. Using ksh for a /.sh_history or
enabling the BSM module was suggested. Looking in the sulog was also
suggested. When I viewed last on my test machine, I couldn't seem to get it
reboot without showing that root had been logged in, even on a slam. I'm
not certain what's up with that. In the end, there was no way to prove what
had really happened to the boxes.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:07 CDT