Quote:
Originally Posted by
hdatontodo
Hi
One server had the problem at 11:58am, one at 11:59.
One guy was logged in about 15 mins before checking if a port was listening but his ticket notes only show he checked that.
Auditing is not enabled.
Thanks
How did you check who was logged in?
I'd check what's in root's crontabs, and also the modification time of the crontab files in /var/spool/crontab.
And then I'd enable auditing.
The mystery here isn't "what", the mystery is "who". The real problem is failing to own up to a mistake - we all make them.
It's the hiding of the mistake that's an indication of a problem admin, because now you start wondering what other mistakes are being hidden because you now know you can't trust that admin to admit mistakes.